Security and use of API keys

WaFloW.ai API Keys allow programmatic access to sensitive features and data.
Therefore, proper management is essential to protect your account, your customers, and your integrations.

This document contains best practices for security and recommended usage guidelines.

Why it is important to protect API keys #

An API Key grants direct access to:

WhatsApp events.
Contact and conversation data.
Integrations with external systems.
Critical automations.

If an API Key is compromised, a third party could access or interfere with your system.

Basic safety principles #

When working with API Keys, always follow these principles:

Treat the API Key as a password.
Grant access only to those who need it.
Limit its use to the specific case.
Revoke keys that are no longer in use.

Safety begins with good management.

Where you should NOT use an API Key #

Never expose an API Key in:

Frontend code (browser JavaScript).
Public repositories.
Documentation visible to the customer.
Unencrypted emails or chats.

API Keys should only be used in secure environments (backend, servers, automation tools).

Recommended use of API Keys #

Recommended best practices:

Use one API Key per integration.
Create separate keys for testing and production.
Assign clear names to each key.
Document internally what each one is used for.

This facilitates auditing and maintenance.

Key rotation and revocation #

It is recommended:

Rotate API keys periodically.
Revoke old or unused keys.
Immediately revoke a key if you suspect compromise.

Revoking a key automatically invalidates its use.

What to do if an API Key is compromised #

If you believe that an API Key has been exposed:

Immediately revoke the key from WaFloW.ai.
Create a new API Key.
Update the key on all systems that used it.
Review logs and associated automations.

Acting quickly reduces risks.

Access control on equipment #

If you work in a team:

Restrict who can create or revoke API Keys.
Avoid sharing passwords with others.
Use shared secret managers.
Define clear responsibilities.

Security is also organizational.

Summary #

Safe use of API Keys involves:

Do not expose them publicly.
Create specific keys for integration.
Revoke unnecessary keys.
Review and rotate accesses periodically.

A powerful API requires responsible management.

What are your feelings

Updated on 26 de January de 2026

Docs WaFloW

Introduction to WaFloW.ai

First steps (Onboarding)

Main panel and navigation

Subaccounts and connection with GoHighLevel (GHL)

WhatsApp device management

Integrations and automation

Advanced messaging and customization

Message sending and output logic (Advanced)

Connecting WhatsApp via QR code

Subscription and billing management

Brand configuration (White Label)

API and Webhooks (Advanced)

Support and troubleshooting

Connect Chatwoot to WaFloW.ai