Summary
We performed a security key rotation to enhance API and access security. This change may have affected some customers, particularly those with inactive or dormant API integrations.
This exercise was last completed in February 2026.
Instructions
Understanding the Process
What did Wati do?
We performed a Security Key Rotation.
The goal: This was done to enhance our API and access security.
We introduced a "Recording Phase" to automatically save active sessions during the security key rotation process. This helped minimize disruptions for active customers.
Impact on Customers
Active Customers
If you were an active customer then you were not affected by this change. If you regularly logged in or used your API integration during the recording period, our system recognized and recorded your connection, ensuring it stayed active throughout the process.
Inactive/Dormant Customers
If your API integration was turned off or did not make a request during the recording period, it was not saved. When the update was completed, that specific integration stopped working until it was reactivated.
Note: The affected customers were those with dormant or inactive integrations. If you were an active user, your connection and API keys remained unaffected.
If your API was inactive (no requests made during this security exercise), your previous token would have expired, and you need to generate a new token to reconnect.
How to generate a new token
If you did not make any API calls during the period of this exercise and your token expired, follow these steps to generate a new token:
Log in to Wati and open the API Docs.
Copy your Access Token.
Replace the old token in your code with the new one.
Note: No further action is needed if you have active integrations in your Wati account or run API calls regularly.
What to do next?
Continue using your API integration as usual.
The security key rotation process has already been completed.
If you’re facing issues with your integration, generate a new API token using the steps provided above.
If the problem continues after updating the token, please contact our support team for further assistance. You can create a support ticket using the widget available in our help center.
Frequently Asked Questions (FAQs)
1. Was I logged out of the dashboard?
Most active customers did not notice any changes. Their tokens were automatically recorded and allowlisted to keep working. Only users who were completely inactive during the recording period lost access and needed to log in again.
2. Did my existing API integrations stop working?
If your integration made at least one request during the transition period, it was automatically allowlisted and continued to work. Integrations that remained inactive during that time stopped working after the exercise was completed - until a new token was generated.
3. Did I need to generate new API tokens?
If your integrations were active during the recording period, your tokens continue to work.
If your integration was inactive and your token expired after the exercise was completed, you need to generate a new token from the dashboard.
4. I see a "401 Unauthorized" error. What do I do?
If your integration or account was inactive during this security exercise, your token was not captured in the allowlist database before the security rotation was finalized.
The fix:
For dashboard users (if you are logged out): Simply log in again to create a new session.
For API users: Go to the dashboard, generate a new API token, and replace the old one in your code.