Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.wava.co/llms.txt

Use this file to discover all available pages before exploring further.

Partner Authentication

Partner requests require three headers on every API call: two for partner authentication and one to identify the target store.

Required headers

curl -X POST "https://api.wava.co/v1/orders" \
  -H "merchant-key: STORE_MERCHANT_KEY" \
  -H "X-API-Key: YOUR_PARTNER_API_KEY" \
  -H "X-API-Secret: YOUR_PARTNER_SECRET_KEY" \
  -H "Content-Type: application/json" \
  -d '{ ... }'
HeaderPurpose
merchant-keyIdentifies the store the operation is for
X-API-KeyPartner API key for identification
X-API-SecretPartner secret key for authentication

Two-Factor Authentication

Partner authentication uses a two-factor system for enhanced security:
  1. API Key (X-API-Key): Identifies which partner is making the request
  2. API Secret (X-API-Secret): Authenticates that the request is legitimate
Both headers must be present and valid for the request to be authenticated.

How the backend processes partner requests

When all three headers are present, the Wava API:
  1. Validates both the X-API-Key and X-API-Secret belong to an active partner account.
  2. Validates the merchant-key belongs to an active store.
  3. Verifies the partner has permission to operate on behalf of that store.
  4. Processes the request and associates it with both the store and the partner.
If any validation fails, the API returns a 401 Unauthorized error.
All three headers are required. The partner credentials (X-API-Key and X-API-Secret) authenticate the partner, and the merchant-key identifies which store the operation is for.