Skip to main content
Security is a top priority. All requests made to the Connexease Gateway API must be authenticated using an API Key.

Using Your API Key

You must include your API Key in the Authorization HTTP header of every request. The key must be prefixed with the word Bearer, followed by a space.
Authorization
string
required
Format: Bearer <YOUR_API_KEY>

Request Example

Here is how you pass your API Key in a standard cURL request: 
curl --request POST \
  --url https://proxy.gateway.connexease.com/v1/wa/message \
  --header 'Authorization: Bearer YOUR_API_KEY' \
  --header 'Content-Type: application/json' \
  --data '{ ... }'
Keep your API keys secure! Never expose your API keys in publicly accessible areas such as GitHub repositories, client-side code (like frontend JavaScript), or public forums. Always make requests from your backend server.

Authentication Errors

If your API key is missing, malformed, or invalid, the gateway will immediately reject the request and return an HTTP 401 Unauthorized status. Thanks to our unified response format, you will always receive a clear explanation: 
{
  "isSuccess": false,
  "errors": {
    "code": "AUTH_001",
    "group": "UNAUTHORIZED",
    "description": "API Key not found, invalid, or expired."
  }
}
For a full list of authentication-related error codes (e.g., AUTH_002 for missing headers), please refer to the dictionary.

Webhook Authentication (Securing Incoming Events)

When Connexease forwards WhatsApp events (like incoming messages or delivery statuses) to your server, you need to verify that the request genuinely came from us. To do this, you can configure a Custom Webhook Secret in your Connexease dashboard. Once configured, our Gateway will include this secret in the Authorization header of every POST request it makes to your webhook URL. 
app.post('/webhook', (req, res) => {
    const authHeader = req.headers['authorization'];
    
    // Validate the incoming request
    if (authHeader !== `Bearer YOUR_WEBHOOK_SECRET`) {
        return res.status(401).send("Unauthorized");
    }
    
    // Process the webhook safely...
});