DocumentationAuthentication

Authentication

JWT for the dashboard and API keys for integrations.

MailingCore uses two mechanisms depending on who calls the API.

API key (integrations)

To send emails, manage contacts, campaigns, or webhooks from your application:

Authorization: Bearer mc_live_xxxxxxxx
X-Tenant-Id: clxxxxxxxx
Content-Type: application/json
PrefixEnvironment
mc_live_Production
mc_test_Testing

The key must include the scope required by the endpoint (for example email:send for POST /emails/send).

JWT (dashboard and human session)

The dashboard authenticates admins with email and password:

POST /auth/login

Response: accessToken (15 min) + refreshToken (30 days). Dashboard requests send:

Authorization: Bearer <accessToken>
X-Tenant-Id: <tenantId>

Endpoints such as templates, domains, analytics, and billing require JWT, not API keys.

2FA (optional)

Admins can enable TOTP (POST /auth/2fa/enable). When active, login returns a challenge and you must complete with POST /auth/login/verify-2fa.

Authentication errors

CodeCommon cause
401Expired token, invalid or revoked API key
403Insufficient scope or unauthorized tenant

See Error codes.