Overview
VZaps uses more than one authentication mechanism; each endpoint only requires what that flow needs.JWT for integrators (public API)
To obtain a JWT without sending email and password to an integration route, callPOST /token with your account client_token and client_secret (managed under Security in the app). The response uses the same access_token and expires_in shape as session-based flows. This endpoint does not use Turnstile.
| Header | When to use | Notes |
|---|---|---|
Authorization: Bearer <jwt> | Instance creation, listing, billing, and owner access to the instance | Obtain via POST /token or the web app; required on PUT /instances/create, POST /instances/list, POST /instances/{id}/subscribe, POST /instances/{id}/resume-subscription, and PUT/DELETE /instances/{id}/cancel |
X-Client-Token | Server-to-server integrations and token-authenticated calls | Must belong to the instance owner |
X-Instance-Token | Instance endpoints without JWT | Returned in the create-instance response |
Practical rules
Instance and billing
- Send
JWTin theAuthorizationheader. - Do not use the instance token as a substitute on these endpoints.
List instances
UsePOST /instances/list with Authorization: Bearer <JWT> and pagination/filter body fields (page, size, filter, sort, sortDesc). This flow always assumes JWT.
Instance (session, chat, webhook, and more)
You can use either:- Owner
JWTfor the instance. X-Instance-Tokentogether withX-Client-Token.
The API validates the instance and the owner
X-Client-Token before processing the request.Example with JWT
Example with instance tokens
Best practices
- Do not expose
X-Client-TokenandX-Instance-Tokenin public front-end apps. - Separate credentials per environment.
- Store the instance token from
PUT /instances/createright after creation. - On
Forbidden, first verify the instance belongs to the user or theX-Client-Tokenyou sent.