Authentication
The API uses Bearer token API keys for authentication. No cookies, no sessions, no CSRF tokens.
API Key Format
Section titled “API Key Format”Keys follow the format:
wpg_sk_{32 random hex characters}Example: wpg_sk_a1b2c3d4e5f67890abcdef1234567890
The full key is shown once at creation and is never stored on the server (only an argon2 hash is kept). Store it securely.
Creating an API Key
Section titled “Creating an API Key”Via the Dashboard
Section titled “Via the Dashboard”- Go to Dashboard > Settings > API Keys
- Click Create API Key
- Enter a name (e.g., “My Bot”, “CI Pipeline”)
- Select the scopes you need
- Optionally set an expiry date
- Copy the full key — it will not be shown again
Via the API
Section titled “Via the API”Register and receive an API key in one step:
curl -X POST https://app.weplaytestgames.com/api/v1/auth/register/api-key \ -H "Content-Type: application/json" \ -d '{ "email": "dev@example.com", "password": "securepassword123", "role": "game_owner", "name": "My API Key" }'The key is issued immediately but inactive until email is verified. Any API call with an unverified key returns 403 Forbidden with error code EMAIL_NOT_VERIFIED.
Using API Keys
Section titled “Using API Keys”Include your key in the Authorization header as a Bearer token:
curl -H "Authorization: Bearer wpg_sk_a1b2c3d4..." \ https://app.weplaytestgames.com/api/v1/auth/meconst response = await fetch('https://app.weplaytestgames.com/api/v1/auth/me', { headers: { 'Authorization': `Bearer ${apiKey}`, },});const { data } = await response.json();import requests
response = requests.get( 'https://app.weplaytestgames.com/api/v1/auth/me', headers={'Authorization': f'Bearer {api_key}'},)data = response.json()['data']Scopes
Section titled “Scopes”Each API key has one or more scopes that control which endpoint groups it can access:
| Scope | Grants Access To |
|---|---|
game_owner | Games, playtests, submissions, slots, dashboard stats |
billing | Read-only financial data: credit balance, payment history, invoices |
chat | Chat contacts, conversations, messages |
notifications | Notification listing, mark-as-read |
Scope Rules
Section titled “Scope Rules”billingis a read-only scope for accountants/finance tools — it can view balances, payment history, and download invoices, but cannot purchase credit or order playtests- Endpoints marked “any” in the endpoint tables require at least one valid scope but no specific scope
- Public/unauthenticated endpoints (
/api/v1/public/*,/api/v1/auth/register) require no key at all
Key Management
Section titled “Key Management”| Method | Path | Description |
|---|---|---|
GET | /auth/api-keys | List your API keys (name, prefix, scopes, last used) |
POST | /auth/api-keys | Create a new API key |
PATCH | /auth/api-keys/:id | Update key name or scopes |
DELETE | /auth/api-keys/:id | Revoke an API key |
These endpoints use cookie-based auth (the dashboard session), not API key auth.
Security Best Practices
Section titled “Security Best Practices”- Never commit API keys to version control
- Use the minimum scopes needed for your use case
- Set an expiry for keys used in temporary or CI environments
- Rotate keys regularly — create a new key, update your app, then revoke the old one
- Use separate keys for different applications or environments
- Keys are only accepted over HTTPS — plain HTTP requests are rejected
Error Responses
Section titled “Error Responses”| Status | Code | When |
|---|---|---|
401 | UNAUTHORIZED | Missing or invalid API key |
403 | FORBIDDEN | Valid key but insufficient scope |
403 | EMAIL_NOT_VERIFIED | Key exists but account email not verified |