Authentication
All integration requests authenticate with an API key via the Authorization header.
API Keys
API keys are created by your admin in the WhoComply dashboard. Each key is scoped to your tenant with explicit permissions.
Keys are prefixed with wc_ and look like this:
wc_0aa39ad26ab1.95ed0c0f859a8cb217387d379bed7582c1b6ebe93b14ddd8
The full key is shown once at creation time. Store it securely. If lost, create a new key in the dashboard and revoke the old one.
Using Your Key
Include the key in the Authorization header on every request:
All requests to tenant-scoped endpoints require this header. Requests without a valid key return 401.
Examples
curl "https://api.whocomply.com/api/v1/tenants/your-org/customers" \
-H "Authorization: Bearer wc_0aa39ad26ab1.95ed0c0f..."
Scopes
API keys carry explicit permission scopes set at creation time. Each scope is enforced at the route level — a request with insufficient scope returns 403 with a message of the form insufficient scope: this action requires the 'write' scope.
| Scope | Allows |
|---|---|
read | List and read customers, alerts, rules, ledgers, postings, watchlist entries, currencies, settings |
write | Create customers, post transactions, configure rules, manage watchlist entries, register and rotate webhooks |
admin | Implies both read and write. Reserved for keys that need full integration access without splitting reads and writes |
A key may carry any combination of scopes; admin short-circuits both other checks. Routes that mutate state require write, routes that read state require read. There is no scope-bearing route for compliance-officer actions (case review, report submission, plugin activation) — those are dashboard-only and require a JWT-authenticated user.
Example: insufficient scope
A key with only the read scope attempting to create a customer:
Response
{
"status": "error",
"message": "insufficient scope: this action requires the 'write' scope"
}