API Key Authentication
Every request to/v1/wa/message must include your API key in the Authorization header. The Gateway checks this key before processing anything — rate limiting, billing, and message delivery all happen only after a valid key is confirmed.
Example
Error Responses
If authentication fails, the Gateway returns one of the following errors before touching any other part of the pipeline:Public API Authentication
The Public API (public-api.gateway.connexease.com) endpoints authenticate with a secret key (sk_), sent in the Authorization header as a Bearer token. The organization is always derived from the credential — you never pass organization_id separately.
Secret Key
A server-side secret used for the Analytics, Application, and Template endpoints. Send it as:ORGANIZATION_SECRET_010 (missing), ORGANIZATION_SECRET_011 (invalid).
Securing Your Webhook Endpoint
When the Gateway forwards events to your server, it includes a secret in theAuthorization header — the same secret you set in Dashboard → Settings → Webhooks. This lets you confirm that the request genuinely came from the Gateway and not a third party.
Your endpoint receives requests in this shape:
Use a strong, randomly generated string (minimum 32 characters) as your webhook secret. Set it in Dashboard → Settings → Webhooks.
API Key Management
Creating and Revoking Keys
Keys are created and managed from Dashboard → Settings → API Keys. If a key is compromised, revoke it immediately and generate a new one — update your environment variables before restarting your service.Best Practices
- Use separate keys for production (
pk_) and staging (sk_) environments. - Pass keys via environment variables — never hardcode them in source files.
- Enable secret scanning in your CI/CD pipeline to catch accidental commits.