Access your API Key
An API Key is a secure, alphanumeric identifier that enables authentication and access to Messangi’s APIs. It works as an access token that validates the identity of the requester and authorizes specific actions based on that identity.
Only admin users can access their API Key. It is located in the Preferences section of the platform, under the API tab.
NOTE
Each API Key is uniquely tied to a specific Space.
You must include the API Key in the headers of your
HTTPrequests to access the platform’s endpoints. It authorizes actions such as sending messages, retrieving reports, configuring campaigns, and more.Therefore, the API Key is unique to your Space and must be included in your API requests to validate access.
This section will display the following API Key information:
-
Current API Key: This field contains your active API Key, which is masked by default for security.
Click the Show button on the lower right to reveal the key.
Use the copy icon at the end of the field to quickly copy the key to your clipboard.
warning
This API Key should be kept secure and never shared or exposed in public code.
-
Creation Date: Displays the date and time when the current API Key was generated.
This helps you track when the key was issued, which is useful for enforcing expiration policies or auditing access.
-
Status: Displays the current state of the API Key. The possible statuses are:
- Active: The key is valid and ready to use in API calls.
- Expired: The key has reached its expiration date and can no longer be used.
- Revoked: The key has been manually disabled and is no longer valid.
- Active: The key is valid and ready to use in API calls.
-
Expiration Date: Indicates the date and time when the API Key will become invalid.
This field is critical for planning key rotation. Once this date is reached, the key will automatically be marked as Expired.
-
Action Buttons: At the bottom right of the panel, you’ll see two possible key actions:
-
Revoke API Key: This button allows you to immediately disable the current API Key.
Clicking this opens a confirmation dialog. Once confirmed, the key is revoked permanently and cannot be reactivated.
Once the Confirm button is clicked, a notification email is sent to the admin confirming the revocation of the API Key.
A new button labeled Generate API Key becomes available, and the API Key status will change to "Revoked".
-
Generate API Key: This button allows you to create a new API Key after the previous one has been revoked or is no longer valid (expired).
Clicking this opens a configuration dialog that lets the admin define when the new API Key will expire.
Options to generate a new API Key are the following:
- Never: The key will remain valid indefinitely.
- After: Expires automatically after a defined number of days, weeks, months, or years.
- Custom: The admin selects a specific expiration date from a calendar picker.
Once the Confirm button is clicked, a notification email is sent to the admin confirming that a new API Key has been generated and is now linked to the same Space.
- Never: The key will remain valid indefinitely.
-
API Key Expiration Notifications
To help administrators stay informed and take timely action, the platform automatically sends email notifications related to API Key expiration. This ensures that your team has enough time to rotate credentials before access is interrupted.
The following notifications will be sent:
-
Upcoming Expiration Reminder: A few days before the API Key is set to expire, the admin will receive an email reminding them of the upcoming expiration date.
This email includes:
- The expiration date and time of the API Key.
- The Space to which the key belongs.
-
API Key Expired: As soon as the expiration date is reached, the admin will receive a second email notification confirming that the API Key has officially expired and is no longer valid for use.
This helps prevent unexpected service disruptions by alerting the team in real-time.
All users with admin-level permissions in the Space will receive the API Key notifications, regardless of who created or managed the API Key.
API Key Best Practices
API Keys provide access to each API and endpoint and must be handled with strict security protocols, especially in development and production codebases. Mismanagement of API Keys can expose your system to unauthorized access, data breaches, and service interruptions.
Avoid Hardcoding API Keys
Never hardcode your API Key directly into your source code.
Example of what not to do:
// ❌ This is insecure and should be avoided
const API_KEY = "xxxxxxxxxxxxxx";
Why is this dangerous?
- If the codebase is stored in a public or shared repository, the key may be exposed to unauthorized users.
- Hardcoded keys are difficult to rotate in case of emergencies.
- They often end up in logs, stack traces, or client-side bundles (especially in web or mobile apps), increasing the risk of accidental leaks.
Recommended Storage: Configuration Files
Use secure, environment-based configuration files to store API Keys outside the main codebase. This makes your app more flexible and secure.
For example:
- Store the key in a
.envfile:
# .env THIS_API_KEY=xxxxxxxxxxxxxx
- Then load it using a library like
dotenv:
require('dotenv').config(); const apiKey = process.env.THIS_API_KEY;
Plan for Emergency Key Rotation
API Keys may need to be rotated at any time due to:
- Suspicious activity
- Accidental exposure
- Scheduled expiration
To respond quickly:
- Keep API Keys in a centralized, editable config file.
- Ensure the file is excluded from version control (.gitignore).
- Structure your application so you can replace the key without code changes or redeployments.
Security Recommendations
- Keep your API Key confidential.
- Do not share it publicly or embed it in client-side code.
- If you suspect the key has been exposed, revoke the API Key immediately and contact our Support Team.
Updated 9 days ago