API tokens
API tokens give programmatic access to the API (CI/CD, monitoring, integrations) without a login. A token has configurable permissions (scopes) and an optional binding to a single domain, so a leak is limited to exactly what you allowed.
What tokens can and cannot do
Section titled “What tokens can and cannot do”A token never gets access to:
- account security (changing password/email, OAuth);
- managing tokens themselves (you cannot issue or revoke a token using only a token);
- billing write operations (payments, top-ups, plan changes, payers).
This is intentional: a token narrows the owner’s access and cannot escalate its own privileges.
Permissions (scopes)
Section titled “Permissions (scopes)”A scope is area:level. Write includes read.
| Area | Levels | What it grants |
|---|---|---|
| Domains | read / write | listing and managing domains, delegation |
| DNS | read / write | a domain’s DNS records |
| Proxy | read / write | proxying and edge host configuration |
| Sites | read / write | static sites (upload, publish) |
| Support | read / write | support tickets |
| Analytics | read | domain statistics |
| Billing | read | invoices and usage (no payment operations) |
Domain binding
Section titled “Domain binding”When creating a token you can pick one domain — the token then works only with its resources (DNS, proxying, static sites, analytics, billing read for that domain). Requests to other domains are rejected. “All domains” removes the restriction within the chosen scopes. Support is not domain-bound.
Creating and revoking
Section titled “Creating and revoking”- Open Settings → API tokens.
- Set a name, pick permissions, optionally a domain and an expiry date (empty — non-expiring).
- Click Create token. The full token (
wsk_…) is shown once — save it immediately. - Revoke a token from the list; it stops working immediately.
Pass the token in the Authorization: Bearer wsk_… header:
# List domains (requires "Domains: read")curl -H "Authorization: Bearer $WSP_API_TOKEN" https://webshield.pro/api/v1/domains
# Update a domain's DNS records (requires "DNS: write")curl -X POST https://webshield.pro/api/v1/domains/123/records \ -H "Authorization: Bearer $WSP_API_TOKEN" \ -H "Content-Type: application/json" \ -d '{ ... }'If the token lacks the required scope or is bound to another domain, the response is 403; an invalid or expired token returns 401.