Authenticating With The API

When making API requests, it is crucial to authenticate them to ensure secure communication and proper authorization. Mezmo's API utilizes a key-based authentication system. This method involves including a unique access key in the Authorization header of your request, prefixed with the Token scheme.

Quick start

Add the Authorization header - Format: Authorization: Token <your_token>

Bash
Javascript

For enterprise operations, additional, specific account context may be included for delegation as needed.

  1. x-delegate-account-id: <account_id> (enterprise tokens only)
Bash

Key Considerations

Choose the Appropriate Access Key Type:

Mezmo offers different token types, each designed for specific use cases and levels of access. Carefully select the token type that best aligns with the requirements of your application or integration. This might include:

  1. ** Service Accounts: Often used for machine-to-machine communication, background services, or applications that require persistent access. Service accounts have only single access key associated with it

** 1. Enterprise Service Accounts: Similar to a standard service account with the exception that these access keys are not bound to an individual account and may be used to manage an enterprise programmatically, or interface with any of the child accounts associated with an enterprise organization.

  1. Personal Access Keys: Associated with a specific user with in the organization which may have a shorter lifespan. These keys inherently have the level of access as the user it is associated with. Changing the permissions granted to a user changes the scope of any access keys they may have provisioned.
    1. Scoped Access: Additionally, personal access keys may be created with a limited level of access to further restrict what they may be used for.

Examples

Bash

Security best practices

  • Rotate tokens regularly. Use expirations and rotate before they expire.
  • Grant only what you need. Prefer minimal scopes.
  • Use service accounts for automation. Avoid personal tokens in CI/CD.
  • Store tokens in environment variables or a secret manager. Do not hard‑code tokens.
  • Implement a mechanism to quickly revoke tokens if they are suspected of being compromised or are no longer needed.
Bash

Troubleshooting

Common HTTP codes

Quick validation

Expect 200 (valid) or 401 (invalid)

Bash

Debug headers

Responses from the API will include additional metadata in the response headers describing what the system understood about the subject making the request. The can be identified with a common prefix - x-auth-*

Bash
HTTP
Type to search, ESC to discard
Type to search, ESC to discard
Type to search, ESC to discard
authenticationapi
Next to read:
Enable Raw Line Storage
On This Page
Authenticating With The APIQuick startKey ConsiderationsExamplesSecurity best practicesTroubleshooting