Skip to main content
The Connexease Gateway uses API keys to verify your identity on every outbound request. When the Gateway forwards events back to your server, it uses a webhook secret you define — so both directions are protected without any extra setup on your end.

API Key Authentication

Every request to /v1/wa/message must include your API key in the Authorization header. The Gateway checks this key before processing anything — rate limiting, billing, and message delivery all happen only after a valid key is confirmed.
Get your API key from the Connexease Gateway DashboardApp → Developers → API Keys → Create API Key. API keys are prefixed so you can tell them apart at a glance:
Never expose your API key in frontend JavaScript, mobile app code, or public repositories. Always make requests from your backend server.

Example

Error Responses

If authentication fails, the Gateway returns one of the following errors before touching any other part of the pipeline:

Public API Authentication

The Public API (public-api.gateway.connexease.com) endpoints authenticate with a secret key (sk_), sent in the Authorization header as a Bearer token. The organization is always derived from the credential — you never pass organization_id separately.

Secret Key

A server-side secret used for the Analytics, Application, and Template endpoints. Send it as:
The Secret Key is provided via email. To request your key, please contact the Connexease Sales or Support team, or send an email request to abdullah@connexease.com. The organization (and the secret’s identity) is derived from the key.
The secret key grants full server-side access. Never expose it in frontend JavaScript, mobile apps, or public repositories — use it only from your backend.
Used by: Get Messages, Get Business Profile, Update Business Profile, Create Template, Get Templates, Get Template Detail, and Update Template. Errors: ORGANIZATION_SECRET_010 (missing), ORGANIZATION_SECRET_011 (invalid).

Securing Your Webhook Endpoint

When the Gateway forwards events to your server, it includes a secret in the Authorization header — the same secret you set in Dashboard → Settings → Webhooks. This lets you confirm that the request genuinely came from the Gateway and not a third party. Your endpoint receives requests in this shape:
Check this header at the top of your handler, before reading or acting on the payload. Respond with HTTP 200 immediately, then process the event asynchronously — the Gateway will retry if it doesn’t hear back within 5 seconds.
Use a strong, randomly generated string (minimum 32 characters) as your webhook secret. Set it in Dashboard → Settings → Webhooks.

API Key Management

Creating and Revoking Keys

Keys are created and managed from DashboardSettings → API Keys. If a key is compromised, revoke it immediately and generate a new one — update your environment variables before restarting your service.

Best Practices

  • Use separate keys for production (pk_) and staging (sk_) environments.
  • Pass keys via environment variables — never hardcode them in source files.
  • Enable secret scanning in your CI/CD pipeline to catch accidental commits.