Authentication
All API requests must be authenticated using a Bearer token in the Authorization header.
Creating a Token
1. Go to app.wave.co/settings/developer-api
2. Click "Create Token" and give it a descriptive name
3. Select the permissions (scopes) your application needs
4. Copy the token immediately - it will only be shown once
Using Your Token
Include your token in the Authorization header with every request:
curl -H "Authorization: Bearer wave_api_xxx..." \ https://api.wave.co/v1/sessions
Scopes
Tokens are granted specific permissions (scopes) that control what data they can access:
List sessions and retrieve session metadata including titles, timestamps, summaries, and notes.
Required for: GET /v1/sessions, GET /v1/sessions/:id
Access full session transcripts with speaker attribution and timestamps.
Required for: GET /v1/sessions/:id/transcript
Perform semantic search across all your sessions using natural language queries.
Required for: POST /v1/sessions/search
Token Security
- Tokens are only shown once when created - store them securely
- Tokens expire after 1 year but can be revoked at any time
- Use environment variables to store tokens, never commit them to code
- Create separate tokens for different applications
- Revoke tokens immediately if they may have been compromised
Error Responses
Authentication errors return appropriate HTTP status codes:
Missing or malformed Authorization header
{
"error": {
"code": "unauthorized",
"message": "Missing or invalid Authorization header"
}
}Token is invalid, expired, or has been revoked
{
"error": {
"code": "invalid_token",
"message": "Token is invalid, expired, or revoked"
}
}Token does not have the required scope for this endpoint
{
"error": {
"code": "insufficient_scope",
"message": "This endpoint requires the 'transcripts:read' scope"
}
}