Authentication

MessagePipe uses one or two authentication methods depending on the operation you're performing.

API Key Authentication

API keys are used alongside Bearer tokens for sending emails/SMS and other external operations. API keys are scoped to specific projects and can be managed independently.

Header Format:

x-api-key: your-api-key-here

Use Cases:

Sending emails and SMS
Template preview
Template update

Getting Your API Key

1. Create a Project

First, create a project in your MessagePipe dashboard:

curl -X POST "https://mzl-email-template-engine.dev.zero.mangozestlabs.com/projects" \
  -H "Authorization: Bearer YOUR_JWT_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "My App"
  }'

2. Generate an API Key

Create an API key for your project:

curl -X POST "https://mzl-email-template-engine.dev.zero.mangozestlabs.com/projects/PROJECT_ID/api-keys" \
  -H "Authorization: Bearer YOUR_JWT_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Production API Key"
  }'

Response:

{
  "message": "API key created successfully. This is the only time you will be able to see the raw API key. Please copy and store it securely. You will not be able to retrieve it again",
  "key": "mzl_1234567890abcdef"
}

⚠️ Important: The API key is only shown once. Store it securely.

API Key Management

List API Keys

curl -X GET "https://mzl-email-template-engine.dev.zero.mangozestlabs.com/projects/PROJECT_ID/api-keys" \
  -H "Authorization: Bearer YOUR_JWT_TOKEN"

Update API Key

curl -X PUT "https://mzl-email-template-engine.dev.zero.mangozestlabs.com/projects/PROJECT_ID/api-keys/API_KEY_ID" \
  -H "Authorization: Bearer YOUR_JWT_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Updated Key Name",
    "isActive": false
  }'

Delete API Key

curl -X DELETE "https://mzl-email-template-engine.dev.zero.mangozestlabs.com/projects/PROJECT_ID/api-keys/API_KEY_ID" \
  -H "Authorization: Bearer YOUR_JWT_TOKEN"

JWT Token Management

curl -X POST "https://mzl-email-template-engine.dev.zero.mangozestlabs.com/auth/signin" \
  -H "Content-Type: application/json" \
  -d '{
    "email": "user@example.com",
    "password": "your-password"
  }'

Response:

{
  "accessToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  "refreshToken": "refresh_token_here",
  "expiresIn": 3600
}

Refresh Token

curl -X POST "https://mzl-email-template-engine.dev.zero.mangozestlabs.com/auth/refresh" \
  -H "Content-Type: application/json" \
  -d '{
    "refreshToken": "your-refresh-token"
  }'

Security Best Practices

API Key Security

Never expose API keys in client-side code
Store API keys as environment variables
Use different API keys for different environments
Regularly rotate API keys
Disable unused API keys immediately

Environment Variables

# .env file
MESSAGEPIPE_API_KEY=mzl_1234567890abcdef
MESSAGEPIPE_BASE_URL=https://mzl-email-template-engine.dev.zero.mangozestlabs.com

Error Responses

Invalid API Key (401)

{
  "statusCode": 401,
  "message": "Invalid API key",
  "error": "Unauthorized"
}

API Key Disabled (401)

{
  "statusCode": 401,
  "message": "API key is disabled",
  "error": "Unauthorized"
}

Expired JWT Token (401)

{
  "statusCode": 401,
  "message": "Token has expired",
  "error": "Unauthorized"
}

API Key Authentication​

Getting Your API Key​

1. Create a Project​

2. Generate an API Key​

API Key Management​

List API Keys​

Update API Key​

Delete API Key​

JWT Token Management​

Sign In​

Refresh Token​

Security Best Practices​

API Key Security​

Environment Variables​

Error Responses​

Invalid API Key (401)​

API Key Disabled (401)​

Expired JWT Token (401)​