API Documentation

v1.0

Getting Started

Welcome to the Whama API! This guide will help you get started with integrating Whama into your applications.

Quick Start

1
Create a Developer Account
Sign up at whama.co/developers/register
2
Create an Application
Register your app to get API keys and configure OAuth settings
3
Make Your First API Call
Use your API key to authenticate and start making requests

Base URL

https://api.whama.co

Response Format

All API responses are returned in JSON format with a consistent structure:

// Successful response
{
  "success": true,
  "data": { /* Response data */ },
  "meta": {
    "page": 1,
    "limit": 20,
    "total": 100,
    "totalPages": 5
  }
}

Authentication

Whama API supports two authentication methods: API Keys and OAuth 2.0.

API Key Authentication

API keys are the simplest way to authenticate. Include your API key in theX-API-Keyheader with each request.

Keep your API keys secure! Never expose them in client-side code or public repositories. Use environment variables to store them.

// Using API Key authentication
const response = await fetch('https://api.whama.co/v1/tasks', {
  method: 'GET',
  headers: {
    'X-API-Key': 'sk_live_your_api_key_here',
    'Content-Type': 'application/json',
  },
});

const { data, meta } = await response.json();
console.log('Tasks:', data);

Test vs Live Keys

Test Keys

Prefix: sk_test_
Use for development and testing. No rate limits.

Live Keys

Prefix: sk_live_
Use in production. Rate limits apply.

OAuth 2.0

Use OAuth 2.0 when you need to access Whama on behalf of users. We support the Authorization Code flow with PKCE.

Authorization Flow

Redirect user to authorization URL

https://whama.co/oauth/authorize?
  client_id=YOUR_CLIENT_ID
  &redirect_uri=https://yourapp.com/callback
  &response_type=code
  &scope=tasks:read tasks:write boards:read
  &state=random_state_string
  &code_challenge=PKCE_CHALLENGE
  &code_challenge_method=S256

2
User grants permission
User is redirected back to your app with an authorization code

Exchange code for tokens

POST /oauth/token
Content-Type: application/json

{
  "grant_type": "authorization_code",
  "client_id": "YOUR_CLIENT_ID",
  "client_secret": "YOUR_CLIENT_SECRET",
  "code": "AUTHORIZATION_CODE",
  "redirect_uri": "https://yourapp.com/callback",
  "code_verifier": "PKCE_VERIFIER"
}

Use access token

// Using OAuth 2.0 access token
const response = await fetch('https://api.whama.co/v1/tasks', {
  method: 'GET',
  headers: {
    'Authorization': 'Bearer your_access_token_here',
    'Content-Type': 'application/json',
  },
});

const { data, meta } = await response.json();
console.log('Tasks:', data);

Available Scopes

Scope	Description
`tasks:read`	Read access to tasks
`tasks:write`	Create, update, and delete tasks
`boards:read`	Read access to boards
`boards:write`	Create, update, and delete boards
`user:read`	Read user profile information

API Endpoints

Below is a reference of all available API endpoints.

Tasks

Create, read, update, and delete tasks

GET/api/v1/tasks

tasks:read

List all tasks

GET/api/v1/tasks/:id

tasks:read

Get a specific task

POST/api/v1/tasks

tasks:write

Create a new task

PATCH/api/v1/tasks/:id

tasks:write

Update a task

DELETE/api/v1/tasks/:id

tasks:write

Delete a task

Boards

Manage boards and their settings

GET/api/v1/boards

boards:read

List all boards

GET/api/v1/boards/:id

boards:read

Get a specific board

POST/api/v1/boards

boards:write

Create a new board

PATCH/api/v1/boards/:id

boards:write

Update a board

DELETE/api/v1/boards/:id

boards:write

Delete a board

User

Access user profile information

GET/api/v1/user

user:read

Get current user profile

Example: Create a Task

// Create a new task
const response = await fetch('https://api.whama.co/v1/tasks', {
  method: 'POST',
  headers: {
    'X-API-Key': 'sk_live_your_api_key_here',
    'Content-Type': 'application/json',
  },
  body: JSON.stringify({
    title: 'Review quarterly report',
    description: 'Review and approve Q4 financial report',
    boardId: 'board_abc123',
    columnId: 'column_todo',
    priority: 'high',
    dueDate: '2024-02-15T10:00:00Z',
    labels: ['urgent', 'finance'],
  }),
});

const { data } = await response.json();
console.log('Created task:', data.id);

Pagination

List endpoints support pagination with the following query parameters:

page - Page number (default: 1)
limit - Items per page (default: 20, max: 100)
sort - Field to sort by
order - Sort order (asc/desc)

// Pagination example
const response = await fetch(
  'https://api.whama.co/v1/tasks?page=1&limit=20&sort=createdAt&order=desc',
  {
    headers: {
      'X-API-Key': 'sk_live_your_api_key_here',
    },
  }
);

const { data, meta } = await response.json();
console.log('Tasks:', data);
console.log('Total:', meta.total);
console.log('Page:', meta.page);
console.log('Total Pages:', meta.totalPages);

Webhooks

Webhooks allow you to receive real-time notifications when events occur in Whama.

Available Events

task.created

A new task was created

task.updated

A task was updated

task.deleted

A task was deleted

task.completed

A task was marked complete

board.created

A new board was created

board.updated

A board was updated

Payload Format & Verification

Each webhook includes a signature in the X-Webhook-Signature header. Always verify this signature to ensure the webhook is authentic.

// Webhook payload example
{
  "id": "evt_abc123",
  "type": "task.created",
  "createdAt": "2024-01-15T10:30:00Z",
  "data": {
    "task": {
      "id": "task_xyz789",
      "title": "New task",
      "boardId": "board_abc123",
      "createdAt": "2024-01-15T10:30:00Z"
    }
  }
}

// Verify webhook signature
const crypto = require('crypto');

function verifyWebhookSignature(payload, signature, secret) {
  const expectedSignature = crypto
    .createHmac('sha256', secret)
    .update(payload)
    .digest('hex');

  return crypto.timingSafeEqual(
    Buffer.from(signature),
    Buffer.from(expectedSignature)
  );
}

Retry Policy: If your endpoint returns a non-2xx status code, we'll retry the webhook up to 3 times with exponential backoff.

Error Handling

The API uses standard HTTP status codes and returns detailed error information.

HTTP Status Codes

Code	Description
`200`	Success
`201`	Created
`400`	Bad Request - Invalid parameters
`401`	Unauthorized - Invalid or missing auth
`403`	Forbidden - Insufficient permissions
`404`	Not Found - Resource does not exist
`429`	Too Many Requests - Rate limit exceeded
`500`	Internal Server Error

Error Response Format

// Error response format
{
  "success": false,
  "error": {
    "code": "VALIDATION_ERROR",
    "message": "Invalid request parameters",
    "details": [
      {
        "field": "title",
        "message": "Title is required"
      }
    ]
  }
}

// Handle errors in your code
const response = await fetch('https://api.whama.co/v1/tasks', {
  method: 'POST',
  headers: {
    'X-API-Key': 'sk_live_your_api_key_here',
    'Content-Type': 'application/json',
  },
  body: JSON.stringify({ /* ... */ }),
});

if (!response.ok) {
  const error = await response.json();
  console.error('API Error:', error.error.message);
  // Handle specific error codes
  if (error.error.code === 'RATE_LIMIT_EXCEEDED') {
    // Wait and retry
  }
}

Rate Limiting

Rate limits are applied per API key. Check the response headers for limit info:

X-RateLimit-Limit - Requests allowed per window
X-RateLimit-Remaining - Remaining requests
X-RateLimit-Reset - Unix timestamp when limit resets

Need Help?

Can't find what you're looking for? Our developer support team is here to help.

Contact Support View Examples on GitHub