Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.gateway.connexease.com/llms.txt

Use this file to discover all available pages before exploring further.

The Connexease Gateway uses API keys to verify your identity on every outbound request. When the Gateway forwards events back to your server, it uses a webhook secret you define — so both directions are protected without any extra setup on your end.

API Key Authentication

Every request to /v1/wa/message must include your API key in the Authorization header. The Gateway checks this key before processing anything — rate limiting, billing, and message delivery all happen only after a valid key is confirmed. 
Authorization: Bearer YOUR_API_KEY
Get your API key from the Connexease Gateway DashboardApp → Developers → API Keys → Create API Key. API keys are prefixed so you can tell them apart at a glance:
PrefixEnvironment
pk_Production
sk_Staging / Development
Never expose your API key in frontend JavaScript, mobile app code, or public repositories. Always make requests from your backend server.

Example

curl -X POST https://api.gateway.connexease.com/v1/wa/message \
  -H "Authorization: Bearer pk_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" \
  -H "Content-Type: application/json" \
  -d '{
    "messaging_product": "whatsapp",
    "to": "905321234567",
    "type": "text",
    "text": { "body": "Hello!" }
  }'

Error Responses

If authentication fails, the Gateway returns one of the following errors before touching any other part of the pipeline:
CodeHTTPCauseFix
AUTH_002401Authorization header missing entirelyAdd the header to every request
AUTH_003401Not in Bearer <token> formatEnsure the Bearer prefix is present
AUTH_001401Key not found or expiredVerify the key in Dashboard → API Keys

Securing Your Webhook Endpoint

When the Gateway forwards events to your server, it includes a secret in the Authorization header — the same secret you set in Dashboard → Settings → Webhooks. This lets you confirm that the request genuinely came from the Gateway and not a third party. Your endpoint receives requests in this shape: 
POST https://your-server.com/webhook
Content-Type: application/json
Authorization: Bearer YOUR_WEBHOOK_SECRET

{ ...event payload... }
Check this header at the top of your handler, before reading or acting on the payload. Respond with HTTP 200 immediately, then process the event asynchronously — the Gateway will retry if it doesn’t hear back within 5 seconds. 
app.post('/webhook', (req, res) => {
  const auth = req.headers['authorization'];
  if (auth !== `Bearer ${process.env.WEBHOOK_SECRET}`) {
    return res.status(401).send('Unauthorized');
  }

  res.sendStatus(200);
  setImmediate(() => handleEvent(req.body));
});
Use a strong, randomly generated string (minimum 32 characters) as your webhook secret. Set it in Dashboard → Settings → Webhooks.

API Key Management

Creating and Revoking Keys

Keys are created and managed from DashboardSettings → API Keys. If a key is compromised, revoke it immediately and generate a new one — update your environment variables before restarting your service.

Best Practices

  • Use separate keys for production (pk_) and staging (sk_) environments.
  • Pass keys via environment variables — never hardcode them in source files.
  • Enable secret scanning in your CI/CD pipeline to catch accidental commits.
# .env.production
CONNEXEASE_API_KEY=pk_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

# .env.staging
CONNEXEASE_API_KEY=sk_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx