DocumentationAuthentication
Authentication
JWT for the dashboard and API keys for integrations.
MailingCore uses two mechanisms depending on who calls the API.
API key (integrations)
To send emails, manage contacts, campaigns, or webhooks from your application:
Authorization: Bearer mc_live_xxxxxxxx
X-Tenant-Id: clxxxxxxxx
Content-Type: application/json
| Prefix | Environment |
|---|---|
mc_live_ | Production |
mc_test_ | Testing |
The key must include the scope required by the endpoint (for example email:send for POST /emails/send).
JWT (dashboard and human session)
The dashboard authenticates admins with email and password:
POST /auth/login
Response: accessToken (15 min) + refreshToken (30 days). Dashboard requests send:
Authorization: Bearer <accessToken>
X-Tenant-Id: <tenantId>
Endpoints such as templates, domains, analytics, and billing require JWT, not API keys.
2FA (optional)
Admins can enable TOTP (POST /auth/2fa/enable). When active, login returns a challenge and you must complete with POST /auth/login/verify-2fa.
Authentication errors
| Code | Common cause |
|---|---|
| 401 | Expired token, invalid or revoked API key |
| 403 | Insufficient scope or unauthorized tenant |
See Error codes.