Partner Authentication
Partner requests require three headers on every API call: two for partner authentication and one to identify the target store.
curl -X POST "https://api.wava.co/v1/orders" \
-H "merchant-key: STORE_MERCHANT_KEY" \
-H "X-API-Key: YOUR_PARTNER_API_KEY" \
-H "X-API-Secret: YOUR_PARTNER_SECRET_KEY" \
-H "Content-Type: application/json" \
-d '{ ... }'
| Header | Purpose |
|---|
merchant-key | Identifies the store the operation is for |
X-API-Key | Partner API key for identification |
X-API-Secret | Partner secret key for authentication |
Two-Factor Authentication
Partner authentication uses a two-factor system for enhanced security:
- API Key (
X-API-Key): Identifies which partner is making the request
- API Secret (
X-API-Secret): Authenticates that the request is legitimate
Both headers must be present and valid for the request to be authenticated.
How the backend processes partner requests
When all three headers are present, the Wava API:
- Validates both the
X-API-Key and X-API-Secret belong to an active partner account.
- Validates the
merchant-key belongs to an active store.
- Verifies the partner has permission to operate on behalf of that store.
- Processes the request and associates it with both the store and the partner.
If any validation fails, the API returns a 401 Unauthorized error.
All three headers are required. The partner credentials (X-API-Key and X-API-Secret) authenticate the partner, and the merchant-key identifies which store the operation is for.
