Authentication
Warpweb uses Bearer tokens over HTTPS. Every request to api.warpweb.ai requires an Authorization header.
curl https://api.warpweb.ai/v1/sites \
-H "Authorization: Bearer wwk_<your-key>"Requests without a valid key return 401 Unauthorized.
Key format
All Warpweb API keys start with wwk_ followed by 43 characters of random base64url. Example shape: wwk_aBc123…. The plaintext value is shown once at creation — capture it immediately.
Every key authorizes every endpoint scoped to your account. There is no separate “read-only” vs “write” key; treat every key as a secret and keep it server-side.
Creating, rotating, revoking
All key management happens in the dashboard at app.warpweb.ai/api-keys.
- Create — generates a new key. The plaintext value is shown once. Copy it immediately into your secret manager; we can’t retrieve it later.
- Rotate — creates a new key with the same permissions and revokes the old one. Use this for periodic credential hygiene or after a suspected leak.
- Revoke — invalidates a key immediately. Subsequent requests with that key get
401.
Multiple active keys per account are supported. You can tag them by environment (prod, staging, ci) in the dashboard, but tags are organizational only — all keys hit the same production api.warpweb.ai regardless of tag. There is no separate staging endpoint in V1.
Storing keys
- Use your platform’s secret manager (Vercel env vars, AWS Secrets Manager, Doppler, 1Password, etc.).
- Never commit keys to git.
- Rotate keys when team members with access leave.
TLS
Warpweb requires TLS 1.2+. Plain HTTP requests are redirected to HTTPS but you should call HTTPS directly.
Rate limits
30 requests per minute per key, sliding window. The window is sliding, so capacity returns continuously — back off a few seconds and retry.
If 30 req/min is too tight for your use case, contact support; we’ll raise the cap for legitimate workloads.
Errors
All authentication errors return JSON with a stable error code:
| Status | Body | Cause |
|---|---|---|
| 401 | { "error": "Missing or invalid Authorization header" } | Missing or malformed Authorization header. |
| 401 | { "error": "Invalid or revoked API key" } | Key not recognized, revoked, or expired. |
| 429 | { "error": "Rate limit exceeded. Max 30 requests per minute." } | Too many requests in the sliding window. Back off and retry. |
Example 429 response:
HTTP/1.1 429 Too Many Requests
Content-Type: application/json
{
"error": "Rate limit exceeded. Max 30 requests per minute."
}