Authentication
MessagePipe supports two authentication methods depending on the context:
Bearer Token: used for dashboard and management operations such as creating projects, managing templates and configuring providers. It is gotten by signing in via /auth/signin and passed in the Authorization header:
Authorization: Bearer your-jwt-token
API Key: used for sending emails, messages and push notifications from your application. It can also be used to update and preview templates. It is scoped to a specific project and passed via the x-api-key header:
x-api-key: your-api-key-here
Most internal/management endpoints require a Bearer token. Sending endpoints accept either.
API Key Authentication
API keys are scoped to specific projects and can be managed independently.
Use Cases:
- Sending emails and messages
- Sending push notifications
- Retrying failed emails
- Template preview
- Template update
Getting Your API Key
Your API key is generated from the MessagePipe dashboard. To get one:
- Log into the MessagePipe dashboard
- Open your project
- Go to API Keys and click Create API Key
- Copy and store it securely. It is only shown once.
⚠️ Important: The API key is only shown once at creation time. If you lose it, you will need to generate a new one.
Account Management
These endpoints power the dashboard authentication flow:
Sign Up
curl -X POST "https://mzl-email-template-engine.dev.zero.mangozestlabs.com/auth/signup" \
-H "Content-Type: application/json" \
-d '{
"email": "user@example.com",
"password": "your-password",
"firstName": "John",
"lastName": "Doe"
}'
Sign In
curl -X POST "https://mzl-email-template-engine.dev.zero.mangozestlabs.com/auth/signin" \
-H "Content-Type: application/json" \
-d '{
"email": "user@example.com",
"password": "your-password"
}'
Response:
{
"accessToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
"refreshToken": "refresh_token_here",
"expiresIn": 3600
}
Refresh Token
curl -X POST "https://mzl-email-template-engine.dev.zero.mangozestlabs.com/auth/refresh" \
-H "Content-Type: application/json" \
-d '{
"refreshToken": "your-refresh-token"
}'
Get Current User Profile
curl -X GET "https://mzl-email-template-engine.dev.zero.mangozestlabs.com/auth/me" \
-H "Authorization: Bearer YOUR_JWT_TOKEN"
Password Management
Request Password Reset
curl -X POST "https://mzl-email-template-engine.dev.zero.mangozestlabs.com/auth/request-password-reset" \
-H "Content-Type: application/json" \
-d '{
"email": "user@example.com"
}'
Response:
{
"message": "Password reset email sent"
}
Reset Password
Use the token received in the reset email:
curl -X POST "https://mzl-email-template-engine.dev.zero.mangozestlabs.com/auth/reset-password" \
-H "Content-Type: application/json" \
-d '{
"token": "reset-token-from-email",
"newPassword": "your-new-password"
}'
Change Password
curl -X POST "https://mzl-email-template-engine.dev.zero.mangozestlabs.com/auth/change-password" \
-H "Authorization: Bearer YOUR_JWT_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"currentPassword": "old-password",
"newPassword": "new-password"
}'
Security Best Practices
- Never expose API keys in client-side or mobile app code
- Store API keys as environment variables on your backend
- Use different API keys for different environments (staging, production)
- Regularly rotate API keys
- Disable unused API keys immediately
Environment Variables
# .env file
MESSAGEPIPE_API_KEY=mzl_1234567890abcdef
MESSAGEPIPE_BASE_URL=https://mzl-email-template-engine.dev.zero.mangozestlabs.com
Error Responses
Invalid API Key (401)
{
"statusCode": 401,
"message": "Invalid API key",
"error": "Unauthorized"
}
API Key Disabled (401)
{
"statusCode": 401,
"message": "API key is disabled",
"error": "Unauthorized"
}
Expired JWT Token (401)
{
"statusCode": 401,
"message": "Token has expired",
"error": "Unauthorized"
}