Skip to content

API tokens

API tokens give programmatic access to the API (CI/CD, monitoring, integrations) without a login. A token has configurable permissions (scopes) and an optional binding to a single domain, so a leak is limited to exactly what you allowed.

A token never gets access to:

  • account security (changing password/email, OAuth);
  • managing tokens themselves (you cannot issue or revoke a token using only a token);
  • billing write operations (payments, top-ups, plan changes, payers).

This is intentional: a token narrows the owner’s access and cannot escalate its own privileges.

A scope is area:level. Write includes read.

Area Levels What it grants
Domains read / write listing and managing domains, delegation
DNS read / write a domain’s DNS records
Proxy read / write proxying and edge host configuration
Sites read / write static sites (upload, publish)
Support read / write support tickets
Analytics read domain statistics
Billing read invoices and usage (no payment operations)

When creating a token you can pick one domain — the token then works only with its resources (DNS, proxying, static sites, analytics, billing read for that domain). Requests to other domains are rejected. “All domains” removes the restriction within the chosen scopes. Support is not domain-bound.

  1. Open Settings → API tokens.
  2. Set a name, pick permissions, optionally a domain and an expiry date (empty — non-expiring).
  3. Click Create token. The full token (wsk_…) is shown once — save it immediately.
  4. Revoke a token from the list; it stops working immediately.

Pass the token in the Authorization: Bearer wsk_… header:

Terminal window
# List domains (requires "Domains: read")
curl -H "Authorization: Bearer $WSP_API_TOKEN" https://webshield.pro/api/v1/domains
# Update a domain's DNS records (requires "DNS: write")
curl -X POST https://webshield.pro/api/v1/domains/123/records \
-H "Authorization: Bearer $WSP_API_TOKEN" \
-H "Content-Type: application/json" \
-d '{ ... }'

If the token lacks the required scope or is bound to another domain, the response is 403; an invalid or expired token returns 401.