title: Authentication
description: Learn how to authenticate requests to the Wontopos API.
Authentication
All Wontopos API requests require authentication. Choose the method that fits your use case.
Auth methods
| Method | Best for | Key prefix |
|---|---|---|
| API Keys | Server-to-server, scripts, backend services | sk_live_, sk_test_ |
| OAuth 2.0 | User-facing apps, third-party integrations | at_live_ |
When to use each
- API Keys — You control the server making requests. Most common for direct integrations.
- OAuth 2.0 — Your application acts on behalf of a Wontopos user. Required for marketplace apps.
Quick start
Pass your API key in the Authorization header:
curl https://api.wontopos.com/v1/marketplace/apis
-H "Authorization: Bearer sk_live_your_key_here"Never expose secret keys
API keys starting with `sk_` are secret. Do not include them in frontend JavaScript, client-side code, or public repositories.
Scopes
Both API keys and OAuth tokens use scopes to control access. Always follow the principle of least privilege.
| Scope prefix | Description |
|---|---|
marketplace:* | Read/write marketplace resources |
subscriptions:* | Manage subscriptions |
usage:* | View usage and analytics |
webhooks:* | Manage webhook endpoints |
billing:* | View billing information |