Authentication

All API requests are authenticated with a Bearer token.

Overview

Every request to /v1/* must include an Authorization header with a valid API token:

Authorization: Bearer <your_token>

Requests without a valid token return TOKEN_INVALID (401).

Creating a token

  1. Open the dashboard
  2. Click New token
  3. Copy the token, or come back and view it in the dashboard later.

Generating a new token replaces the previous one. The old token stops working right away.

Using your token

Pass the token in the Authorization header on every request:

curl -X POST https://api.thewitn.com/v1/events \
  -H "Authorization: Bearer <your_token>"

Never include your API token in client-side code or commit it to source control. Store it in an environment variable or a secrets manager.

Example: environment variable

# .env
WITN_API_KEY=your_token_here
const res = await fetch('https://api.thewitn.com/v1/events', {
  method: 'POST',
  headers: {
    Authorization: `Bearer ${process.env.WITN_API_KEY}`,
    'Content-Type': 'application/json',
  },
  body: JSON.stringify({
    key: 'support:ticket:1001',
    action: 'signed',
    agent_key: 'support',
    customer_key: 'acme',
  }),
})

Token security model

PropertyDetail
FormatTokens are HMAC-signed and verified on every request without a database lookup.
RetrievalYour token stays viewable in the dashboard, so you can copy it again at any time.
ScopeTokens are scoped to your account. They can access all resources owned by your user.
RotationGenerate a new token to replace the old one. The previous token stops working right away.

Error responses

SituationCodeStatus
Authorization header missingTOKEN_INVALID401
Wrong scheme (not Bearer)TOKEN_INVALID401
Token signature invalid or malformedTOKEN_INVALID401

See TOKEN_INVALID for the full error reference.

On this page