API & Webhooks
Authentication
Generate API keys and authenticate requests to the Winora REST API.
API authentication
Winora uses API keys for machine-to-machine authentication. Keys are workspace-scoped - they have access to all data within the workspace they were created in.
Generating an API key
- Go to Settings → API keys.
- Click New key.
- Give it a descriptive name (e.g. "Mobile app - production").
- Copy the key immediately - it is only shown once.
Security tip: Store API keys in environment variables or a secrets manager, never in source code.
Using the key
Include the key in the Authorization header on every request:
curl https://app.winora.dev/api/v1/conversations \
-H "Authorization: Bearer wk_live_xxxxxxxxxxxx" \
-H "x-workspace-id: YOUR_WORKSPACE_ID"
Workspace ID
Many endpoints also require the x-workspace-id header. Find your workspace ID in Settings → Workspace → Advanced.
Revoking a key
Go to Settings → API keys, click the trash icon next to the key, and confirm. Revoked keys stop working immediately.
Key rotation
We recommend rotating API keys every 90 days as a security best practice. Create the new key, update your systems, then revoke the old key.