Authentication
Securely authenticate your requests to the Wazza Engine API using API keys or OAuth.
Overview
Wazza Engine supports two primary authentication methods: API Keys for server-to-server communication and OAuth for user-based authentication. All API requests must be authenticated to ensure security and proper rate limiting.
API Keys
API keys are the recommended method for server-to-server authentication. They provide secure, long-lived access to the Wazza Engine API.
Getting Your API Key
- Sign up for a Wazza Engine account at console.wazza.ai
- Navigate to the API Keys section in your dashboard
- Click "Create New API Key"
- Give your key a descriptive name (e.g., "Production Server")
- Copy the key immediately - it won't be shown again
⚠️ Security Best Practices
- Never commit API keys to version control
- Store keys in environment variables or secure vaults
- Rotate keys regularly (every 90 days recommended)
- Use different keys for development and production
- Revoke keys immediately if compromised
Using API Keys
Include your API key in the X-API-Key header:
curl https://api.wazza.ai/v1/chat \
-H "X-API-Key: YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"message": "Generate a sunset over mountains"
}'OAuth Integration
OAuth is ideal for user-facing applications where you need to authenticate users and perform actions on their behalf.
Supported OAuth Providers
Google OAuth
Authenticate users with their Google accounts
GitHub OAuth
Authenticate users with their GitHub accounts
OAuth Flow
Wazza uses provider-specific OAuth flows. When users authenticate, they'll be redirected to Google or GitHub, and upon successful authentication, will receive JWT tokens.
Google OAuth
// 1. Redirect user to Google OAuth
window.location.href = 'https://api.wazza.ai/v1/auth/google';
// 2. User authenticates with Google and is redirected back
// Wazza handles the callback at /v1/auth/google/callback
// 3. After successful authentication, user receives JWT tokens
// Use the JWT token with Bearer authentication
const result = await fetch('https://api.wazza.ai/v1/chat', {
method: 'POST',
headers: {
'Authorization': 'Bearer YOUR_JWT_TOKEN',
'Content-Type': 'application/json'
},
body: JSON.stringify({
message: 'Generate an image'
})
});GitHub OAuth
// 1. Redirect user to GitHub OAuth
window.location.href = 'https://api.wazza.ai/v1/auth/github';
// 2. User authenticates with GitHub and is redirected back
// Wazza handles the callback at /v1/auth/github/callback
// 3. After successful authentication, user receives JWT tokens💡 Authentication Methods Summary
- API Keys (Service-to-Service): Use
X-API-Keyheader - JWT Tokens (User Sessions): Use
Authorization: Bearerheader - OAuth: Returns JWT tokens after successful authentication
Rate Limits
Rate limits are applied per API key or OAuth token. Limits vary based on your subscription tier:
| Plan | Requests/Hour | Credits/Month |
|---|---|---|
| Free | 50 | 50 |
| Pro | 500 | 500 |
| Team | 2,000 | Custom |
| Enterprise | 10,000+ | Custom |
Rate Limit Headers
All API responses include rate limit information:
X-RateLimit-Limit- Your plan's hourly limitX-RateLimit-Remaining- Requests remaining in current windowX-RateLimit-Reset- Unix timestamp when limit resets
When rate limits are exceeded, you'll receive a 429 Too Many Requests response with a Retry-After header.
Troubleshooting
401 Unauthorized
Common causes:
- Missing or invalid API key
- Expired OAuth token
- API key has been revoked
- Incorrect Authorization header format
403 Forbidden
Common causes:
- API key doesn't have required permissions
- Trying to access resources outside your organization
- Account suspended or payment overdue
429 Too Many Requests
Implement exponential backoff and respect the Retry-After header. Consider upgrading your plan for higher rate limits.