Documentation Index
Fetch the complete documentation index at: https://docs.windbackai.com/llms.txt
Use this file to discover all available pages before exploring further.
Authentication
Windback supports two authentication methods depending on your use case.
JWT Bearer Token
Used by the dashboard and web app. Obtained via login or OAuth.
curl https://api.windbackai.com/api/v1/auth/me \
-H "Authorization: Bearer eyJhbGciOiJIUzI1NiIs..."
API Keys
Each project has two API keys:
| Type | Prefix | Used For |
|---|
| Public | pub_ | Widget, cancel flow, webhook URLs |
| Secret | sk_ | Server-side SDK calls, full API access |
X-API-Key header:
curl https://api.windbackai.com/api/v1/projects/my-project/churn-events \
-H "X-API-Key: sk_live_abc123..."
When to Use Which
| Scenario | Auth Method |
|---|
| Dashboard / web app | JWT (automatic) |
| Server-side SDK | Secret API key (sk_) |
| Cancel flow widget | Public API key (pub_) |
| Webhook endpoints | Public API key in URL |
| Email tracking pixels | No auth (opaque IDs) |
Security Best Practices
Never expose your secret key (sk_) in client-side code, public repositories, or browser requests.
- Rotate keys regularly from Settings > API Keys
- Use the public key for client-facing integrations
- Configure Allowed Origins to restrict which domains can use your public key
- Enable 2FA on your account for added security
Rate Limits
| Endpoint Group | Limit |
|---|
| Auth (login, register) | 5 req/s, burst 10 |
| Cancel flow | 10 req/15s per key |
| Event tracking | Plan-based per key |
| General API | 10 req/s, burst 30 |
