Waymaker API
WaymakerAPI
Developer Documentation
Documentation

API Key Management

Last Updated: October 15, 2025 Category: API Keys

Overview

API keys are the credentials your application uses to authenticate with the Waymaker One API. Proper key management is essential for security and reliable API access.

Creating Your First API Key

Step-by-Step

  1. Navigate to API Keys

    • Open WaymakerOne dashboard
    • Click "API Keys" in left navigation
    • Select "Keys & Authentication" tab

  2. Click "Create API Key"

    • Button located at top right
    • Opens key creation modal

  3. Name Your Key

    • Use descriptive names that indicate purpose
    • ✅ Good: "Production App", "Development Server", "Testing Environment"
    • ❌ Bad: "Key 1", "Test", "My Key"

  4. Copy Your Key Immediately

    • Key displays once and only once
    • Click "Copy" button
    • Store in secure location immediately

⚠️ Critical: You cannot view the key again after closing the modal. If lost, you must create a new key.

Key Format

Waymaker API keys look like this:

wm_1234567890abcdef1234567890abcdef1234567890abcdef1234567890ab

Format details:

  • Prefix: wm_ (identifies as Waymaker key)
  • Length: 64 characters total
  • Characters: Hexadecimal (0-9, a-f)

Using API Keys

In API Requests

Include your API key in the apikey header:

cURL example:

curl -X POST https://api.waymakerone.com/v1/coordinate \
  -H "apikey: wm_1234567890abcdef1234567890abcdef1234567890abcdef1234567890ab" \
  -H "Content-Type: application/json" \
  -d '{
    "messages": [{
      "role": "user",
      "content": "Help me create a business model canvas"
    }]
  }'

JavaScript example:

const response = await fetch('https://api.waymakerone.com/v1/coordinate', {
  method: 'POST',
  headers: {
    'apikey': process.env.WAYMAKER_API_KEY,
    'Content-Type': 'application/json'
  },
  body: JSON.stringify({
    messages: [{
      role: 'user',
      content: 'Help me create a business model canvas'
    }]
  })
});

Python example:

import os
import requests

headers = {
    'apikey': os.environ['WAYMAKER_API_KEY'],
    'Content-Type': 'application/json'
}

data = {
    'messages': [{
        'role': 'user',
        'content': 'Help me create a business model canvas'
    }]
}

response = requests.post(
    'https://api.waymakerone.com/v1/coordinate',
    headers=headers,
    json=data
)

Secure Storage

Environment Variables (Recommended)

Never hardcode API keys in your source code. Use environment variables instead.

Node.js (.env file):

WAYMAKER_API_KEY=wm_1234567890abcdef1234567890abcdef1234567890abcdef1234567890ab

Access in code:

const apiKey = process.env.WAYMAKER_API_KEY;

Python (.env file):

WAYMAKER_API_KEY=wm_1234567890abcdef1234567890abcdef1234567890abcdef1234567890ab

Access in code:

import os
api_key = os.environ['WAYMAKER_API_KEY']

.gitignore

Always exclude environment files from version control:

# .gitignore
.env
.env.local
.env.production
*.env
config/secrets.json

Secret Management Services

For production applications, use dedicated secret management:

  • AWS Secrets Manager - For AWS-hosted applications
  • Google Secret Manager - For GCP-hosted applications
  • Azure Key Vault - For Azure-hosted applications
  • HashiCorp Vault - Platform-independent solution
  • Doppler - Modern secrets management
  • 1Password Secrets Automation - Developer-friendly option

Managing Multiple Keys

Key Organization Strategy

Create separate keys for:

  1. Development - Local development and testing
  2. Staging - Pre-production testing environment
  3. Production - Live application
  4. CI/CD - Automated testing pipelines
  5. Team Members - Individual keys for team developers

Benefits:

  • Revoke individual keys without affecting others
  • Track usage per environment
  • Identify which key was compromised
  • Monitor credit consumption by environment

Example naming:

Production - Main App
Staging - Main App
Development - Local (John)
CI/CD - GitHub Actions
Mobile App - Production

Key Limits

Per Organization:

  • Maximum API keys: 20 keys
  • Active keys at once: 20 keys

If you need more: Contact support@waymakerone.com for enterprise options.

Key Rotation

When to Rotate Keys

Rotate API keys:

  • ✅ Every 90 days (recommended schedule)
  • ✅ When team member leaves
  • ✅ After suspected compromise
  • ✅ When key accidentally exposed (GitHub, logs, etc.)
  • ✅ During security audits

Rotation Process

Zero-downtime key rotation:

  1. Create new key while old key still active

    • Name it clearly: "Production - New (2025-10-15)"

  2. Deploy new key to one environment at a time

    • Start with staging/development
    • Test thoroughly
    • Then update production

  3. Monitor both keys for 24-48 hours

    • Verify new key working correctly
    • Ensure no services still using old key

  4. Revoke old key after verification

    • Click "Revoke" next to old key
    • Confirm revocation

  5. Document rotation in your change log

💡 Tip: Keep old key active during transition to avoid service disruptions.

Revoking Keys

When to Revoke

Revoke immediately if:

  • Key compromised or exposed publicly
  • Team member with access leaves
  • Key no longer needed
  • Rotating to new key

Revocation Process

  1. Navigate to API Keys list
  2. Find the key to revoke
  3. Click "Revoke" button
  4. Confirm revocation in modal

⚠️ Warning: Revocation is immediate and cannot be undone. API calls using revoked keys will fail with 401 Unauthorized.

After Revocation

Revoked keys:

  • Stop working immediately (within 60 seconds)
  • Remain in key list marked as "Revoked"
  • Can be permanently deleted after 30 days
  • Cannot be un-revoked (must create new key)

Security Best Practices

1. Never Expose Keys Client-Side

❌ NEVER do this:

// WRONG - Key exposed in browser
<script>
  const apiKey = 'wm_1234567890abcdef...';
  fetch(`https://api.waymakerone.com/v1/coordinate`, {
    headers: { 'apikey': apiKey }
  });
</script>

✅ DO this instead:

// CORRECT - Key stays on server
// Frontend calls your backend
fetch('/api/waymaker-proxy', {
  method: 'POST',
  body: JSON.stringify({ message: 'user input' })
});

// Backend uses API key
app.post('/api/waymaker-proxy', async (req, res) => {
  const response = await fetch('https://api.waymakerone.com/v1/coordinate', {
    headers: { 'apikey': process.env.WAYMAKER_API_KEY }
  });
  res.json(await response.json());
});

2. Use HTTPS Only

Always use HTTPS when making API requests:

  • https://api.waymakerone.com
  • ❌ Never use HTTP (insecure)

3. Monitor Key Usage

Regular checks:

  • Review API Usage dashboard weekly
  • Look for unexpected usage spikes
  • Verify all usage is legitimate
  • Check for unusual access patterns

Red flags:

  • Usage from unexpected geographic locations
  • Requests at unusual times
  • Sudden spike in API calls
  • Errors suggesting key sharing

4. Implement Rate Limiting

In your application:

// Example: Simple rate limiter
const rateLimiter = new Map();

function checkRateLimit(userId) {
  const now = Date.now();
  const userRequests = rateLimiter.get(userId) || [];

  // Filter requests from last minute
  const recentRequests = userRequests.filter(
    timestamp => now - timestamp < 60000
  );

  if (recentRequests.length >= 10) {
    throw new Error('Rate limit exceeded');
  }

  recentRequests.push(now);
  rateLimiter.set(userId, recentRequests);
}

5. Log API Key Usage

What to log:

  • Timestamp of each API call
  • User/service making the request
  • Endpoint called
  • Response status code
  • Credits consumed

What NOT to log:

  • Full API key value
  • User input data (may contain PII)
  • Complete API responses (may contain sensitive data)

Example logging:

logger.info('API call', {
  timestamp: new Date().toISOString(),
  keyId: 'wm_****ab', // Last 2 chars only
  endpoint: '/v1/coordinate',
  status: 200,
  credits: 12,
  userId: 'user_123'
});

Troubleshooting

401 Unauthorized

Error:

{
  "error": "unauthorized",
  "message": "Invalid API key",
  "code": "AUTH_INVALID_KEY"
}

Possible causes:

  • Key copied incorrectly (missing characters, extra spaces)
  • Key was revoked
  • Key from different organization
  • Using anon key instead of API key

Solutions:

  1. Copy key again from dashboard (create new if lost)
  2. Check for leading/trailing whitespace
  3. Verify key hasn't been revoked
  4. Use apikey header, not Authorization

Key Not Working Immediately

New key takes 30-60 seconds to activate.

If created and immediately used:

  • Wait 60 seconds
  • Retry API call
  • Should work after brief propagation delay

Lost API Key

Cannot retrieve key after creation:

Solution:

  1. Create new API key
  2. Update your application configuration
  3. Revoke old (lost) key
  4. Test new key before revoking old one

Prevention: Store keys in password manager immediately after creation.

Quick Reference

Create API Key

Dashboard → API Keys → Create API Key → Copy immediately

Use in Request

curl -H "apikey: wm_YOUR_KEY_HERE" https://api.waymakerone.com/v1/coordinate

Store Securely

# .env file
WAYMAKER_API_KEY=wm_YOUR_KEY_HERE

# Access in code
process.env.WAYMAKER_API_KEY

Rotate Key

Create new → Deploy new → Monitor → Revoke old

Next Steps

Related Articles

Questions about API keys? → Contact support@waymakerone.com