WSAPI_
Security

Security at WSAPI

We take the security of your data and the reliability of our platform seriously. Here is how we protect your information.

Encryption

In Transit

All communication between your application and the WSAPI service is encrypted using TLS 1.2 or higher. API endpoints are only accessible over HTTPS.

At Rest

Sensitive data such as API keys, webhook authentication secrets, and event signing secrets are encrypted at rest using industry-standard AES-256 encryption.

Webhook Security

Webhook payloads can be signed with an HMAC secret so your application can verify that events originate from WSAPI and have not been tampered with.

Authentication & Authorization

API Key Authentication

Every API request requires a valid API key and instance ID sent via HTTP headers. Keys can be rotated at any time from the dashboard.

Account Authentication

User accounts are secured with Firebase Authentication, supporting email/password, Google, and GitHub sign-in methods. Passwords must meet strong complexity requirements.

Session Management

Sessions use short-lived JWT tokens that are automatically refreshed. Signing out immediately invalidates the session cookie.

Infrastructure Security

Instance Isolation

Each WhatsApp instance runs in its own isolated container. Instances cannot access each other's data, sessions, or network resources.

Network Security

Internal services communicate over private networks with no public exposure. Only the API gateway is internet-facing, protected by rate limiting and DDoS mitigation.

Access Control

Infrastructure access follows the principle of least privilege. Production systems are accessible only through audited, time-limited credentials.

Data Privacy

Minimal Data Collection

WSAPI collects only the data necessary to provide the service: account details, subscription information, and instance configuration. We do not store message content on our servers.

No Third-Party Sharing

Your data is never sold or shared with third parties for advertising or marketing purposes. See our Privacy Policy for complete details.

Responsible Disclosure

If you discover a security vulnerability in WSAPI, we ask that you disclose it responsibly. Please do not open a public GitHub issue for security vulnerabilities.

Instead, email us at security@wsapi.chat with a description of the vulnerability, steps to reproduce, and any relevant screenshots or logs. We commit to acknowledging your report within 48 hours and providing a fix timeline within 5 business days.

We appreciate security researchers who help us keep WSAPI safe for everyone.