Back to docs

API & Webhooks

Authentication

Generate API keys and authenticate requests to the Winora REST API.

API authentication

Winora uses API keys for machine-to-machine authentication. Keys are workspace-scoped - they have access to all data within the workspace they were created in.

Generating an API key

  1. Go to Settings → API keys.
  2. Click New key.
  3. Give it a descriptive name (e.g. "Mobile app - production").
  4. Copy the key immediately - it is only shown once.

Security tip: Store API keys in environment variables or a secrets manager, never in source code.

Using the key

Include the key in the Authorization header on every request:

curl https://app.winora.dev/api/v1/conversations \
  -H "Authorization: Bearer wk_live_xxxxxxxxxxxx" \
  -H "x-workspace-id: YOUR_WORKSPACE_ID"

Workspace ID

Many endpoints also require the x-workspace-id header. Find your workspace ID in Settings → Workspace → Advanced.

Revoking a key

Go to Settings → API keys, click the trash icon next to the key, and confirm. Revoked keys stop working immediately.

Key rotation

We recommend rotating API keys every 90 days as a security best practice. Create the new key, update your systems, then revoke the old key.