User-facing API (most endpoints)

Send the Clerk session JWT:
Authorization: Bearer <clerk-token>
The token must be valid for your Clerk application as configured for Watchatic. Missing or invalid tokens receive 401. Requests may receive 403 when the resource belongs to another tenant or the operation is not allowed for that user. Use HTTPS against https://api-v2.watchcollect.com in production.

WAHA webhook (server-to-server)

WAHA posts inbound WhatsApp traffic to POST /v2/webhooks/waha. That route does not use Clerk. Instead WAHA sends:
X-WAHA-SECRET: <shared-secret>
and supplies userId (the Clerk user id) as a query parameter so events attach to the right tenant. Configure URL, secret, and query usage exactly as in WAHA webhook. Normal mobile/web clients never send this secret.

Machine-readable errors

Error responses are JSON objects whose fields are described under shared schemas in the API reference (for example ErrorResponse). Prefer inspecting status and parsing the documented body shape rather than matching raw strings.