Skip to main content

Authentication

All Owem API requests use Basic Authentication. You need:
  • API Key: Public identifier for your credential
  • API Secret: Secret key (shown only once)

Header Format

Authorization: Basic {Base64(API_KEY:API_SECRET)}

Generating the Token

const API_KEY = process.env.OWEM_API_KEY;
const API_SECRET = process.env.OWEM_API_SECRET;

const token = Buffer.from(`${API_KEY}:${API_SECRET}`).toString("base64");

const headers = {
Authorization: `Basic ${token}`,
"Content-Type": "application/json",
};

Obtaining Credentials

1

Access Owem Dashboard

Log in at app.owem.com.br with your account.
2

Navigate to Credentials

Go to Settings → Credentials.
3

Generate new credentials

Click Generate New Key and copy the API Secret immediately.
The API Secret is shown only once. Store it in a secure location.

Security

IP Allowlist

For added security, the Owem API requires requests from pre-registered static IPs.
Add your server’s public IP to the allowlist in the Owem dashboard before making requests.
ActionPath
Add IPSettings → Security → Allowed IPs
Remove IPSettings → Security → Allowed IPs
New IP rules may take up to 10 minutes to propagate.

Webhook Validation

When receiving webhooks from Owem, validate the source IP:
Owem IP Range
34.134.50.53
35.238.101.57
const OWEM_IPS = ["34.134.50.53", "35.238.101.57"]

function validateWebhookOrigin(req) {
  const clientIp = req.headers["x-forwarded-for"] || req.socket.remoteAddress
  return OWEM_IPS.includes(clientIp)
}

HTTPS Required

All requests must use HTTPS with TLS 1.2+.
HTTP requests (without TLS) will be rejected.

Best Practices

Environment Variables

Never expose credentials in code. Use environment variables or secret managers.

Key Rotation

Rotate your credentials periodically and after any suspected leak.

Secure Logs

Never log the API Secret. Mask credentials in debug logs.

Minimum Scope

Use different credentials for production and development.

Authentication Errors

HTTPCodeDescription
401UNAUTHORIZEDInvalid or missing credentials
403FORBIDDENIP not in allowlist
404API_KEY_NOT_FOUNDAPI Key does not exist
{
  "requestId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
  "success": false,
  "status": 401,
  "message": "Authorization header required with Basic token"
}