Skip to main content
WaGo uses two token types:
TokenHeaderUsed for
Session tokentokenNormal session API calls for one WhatsApp account.
Admin tokenadmintokenCreating, listing, deleting, and verifying tokens.
Most endpoints use the session token: 
curl -H "token: YOUR_SESSION_TOKEN" \
  http://localhost:1337/session/status
Admin endpoints use admintoken: 
curl -H "admintoken: YOUR_ADMIN_TOKEN" \
  http://localhost:1337/session/all

Session token

A session token maps one API consumer to one WaGo session row. The token is also how WaGo finds the connected WhatsApp client in memory. Send it as a header: 
token: YOUR_SESSION_TOKEN
Some older middleware also accepts ?token=..., but production clients should use the header. Headers are easier to protect in logs and reverse proxies.

Admin token

The admin token is for deployment owners. Keep it server-side. Do not put it in browser code. Admin operations include:
  • POST /session/init
  • GET /session/all
  • POST /session/delete
  • POST /session/scanned
  • POST /server/license
  • GET /server/update

Browser apps

If you build a web app on top of WaGo, do not expose admin features to regular users. The usual browser flow is:
  1. Your backend authenticates your user.
  2. Your backend decides which WaGo token belongs to that user.
  3. Your backend calls WaGo, or your frontend calls WaGo only with a limited session token.
  4. Admin token stays only on your infrastructure.

Common authentication errors

ErrorMeaningFix
invalid tokenWaGo cannot find a matching session token.Check the exact token header.
No sessionToken exists but no WhatsApp client is connected in memory.Call POST /session/connect.
not logged inThe session is not scanned or WhatsApp logged out.Fetch /session/qr and scan again.
invalid admin tokenadmintoken does not match the configured admin token.Use the deployment admin token only from trusted backend code.