Skip to content

API keys

The recommended way to authorize user requests is with an API key. For other requests, like accessing packages and transfers, the MASV API requires Web tokens.

API keys simplify integration with the MASV API in these ways:

  • The username and password does not need to be hardcoded or stored.
  • The key does not require a refresh after expiration every few days.
  • An API key, while active, does not require the user to periodically answer multi-factor authentication (MFA) challenges.

Supported roles

An API key gives your application the same permissions as the MASV user from which it was created. Users with these roles can create API keys:

  • Owner role
  • Integration Manager

To learn more about user roles and permissions, see the MASV access policy.

Create an API key

You can create and manage API keys with the MASV Web App. Authorized users can create API keys for any Team that they belong to.

Note

A API key's value is generated automatically and returned only once. It carries the same privileges as the user that it was created for. Keep this safe and secure!

Your application can also create API keys programmatically:

Method Route
POST /teams/{{ team_id }}/api_keys
HEADERS
Name Type Required Description
X-User-Token String Yes JSON Web Token. See Web Tokens.
Content-Type String Yes Required Value: application/json
BODY
Name Type Required Description
name String No Name of the key to create
description String No Description for the key
expiry String No Date-time expiry for the key
Default: 0001-01-01T00:00:00.000Z
Accepted Format: ISO 8601
state String Yes State of the API key
Accepted Values: active/inactive
URL parameters
Name Type Required Description
team_id String Yes The team id to bind the api key. (Retrieved in (Generate))
REQUEST
    curl -d "{\"name\": \"$NAME\", \"description\": \"$DESCRIPTION\", \"expiry\": \"$EXPIRY\", \"state\": \"$STATE\"}" \
    -H "X-User-Token: $USER_TOKEN" \
    -H "Content-Type: application/json" \
    -X POST https://api.massive.app/v1/teams/$TEAM_ID/api_keys

After a successful request an API key will be created, the endpoint will return an HTTP response with a status code of 201 Created and a body response matching the json below.

{
    "created_at": "2021-04-19T16:57:32.683Z",
    "description": "This is a sample API key description",
    "expiry": "2021-04-24T16:57:32.547Z",
    "id": "01F3NH1NRBQWRN7HQDJ2SYGBDH",
    "key": "<api-key-value-here>",
    "last_request_at": "0001-01-01T00:00:00.000Z",
    "name": "Sample API key",
    "state": "active",
    "updated_at": "2021-04-19T16:57:32.683Z"
}

Response Properties:

Property Description
created_at The datetime that the key was created.
description The key description (provided in the previous step.)
expiry The datetime the key will expire
id The created API key ID.
key The actual API key to be used in requests to the MASV API.
last_request_at The last time the key was used.
name The name of the key (provided in the previous step.)
state State of the API key
Possible Values: active/inactive
updated_at Last time key information was updated.

Warning

The actual authentication key property: key is returned during the create response. It will not be included in any Get or List requests. It is unable to be updated. In case of they key being lost, a new key will need to be created and the old key disabled.

Important

If the team subscription becomes inactive or the trial ends, then API keys will be suspended until the team is reactivated. Attempting to use a suspended key will return error 402 unauthorized

Update API key

Users can update API keys for any Team that they are authorized to. (access policy).

Method Route
PUT /api_keys/{{ api_key_id }}
HEADERS
Name Type Required Description
X-User-Token String Yes User JSON Web Token (Generate)
Content-Type String Yes Required Value: application/json
URL parameters
Name Type Required Description
api_key_id String Yes The API key to be updated. Ref property: id above. Not property: key
BODY
Name Type Required Description
name String No Name of the key to create
description String No Description for the key
expiry String No Date-time expiry for the key
Default: 0001-01-01T00:00:00.000Z
Accepted Format: ISO 8601
state String Yes State of the API key
Accepted Values: active/inactive
REQUEST
curl -d "{\"name\": \"$NAME\", \"description\": \"$DESCRIPTION\", \"expiry\": \"$EXPIRY\", \"state\": \"$STATE\"}" \
-H "X-User-Token: $USER_TOKEN" \
-H "Content-Type: application/json" \
-X PUT https://api.massive.app/v1/api_keys/$API_KEY_ID

After a successful request the API key will be updated. This endpoint will then return an HTTP response with a status code of 200 OK and a body response matching the json below.

If the key state has been set to inactive then any API requests that use the key in the headers will be rejected with error 401 unauthorized. 

{
    "created_at": "2021-04-19T16:57:32.683Z",
    "description": "This is a sample API key description",
    "expiry": "2021-04-24T16:57:32.547Z",
    "id": "01F3NH1NRBQWRN7HQDJ2SYGBDH",
    "last_request_at": "0001-01-01T00:00:00.000Z",
    "name": "Sample API key",
    "state": "active",
    "updated_at": "2021-04-19T16:57:32.683Z"
}

Response Properties:

Property Description
created_at The datetime that the key was created.
description The key description (provided in the previous step.)
expiry String
id The created API key ID.
last_request_at The last time the key was used.
name The name of the key (provided in the previous step.)
state State of the API key
Possible Values: active/inactive
updated_at Last time key information was updated.

Warning

As mentioned above the actual authentication key property: key is returned during the create response. It will not be included in any Get or List requests. It is unable to be updated. In case of they key being lost, a new key will need to be created and the old key disabled.

Activate/deactivate API key

Authorized users can modify the state of any of their Team's API keys. This serves as a helper method to quickly toggle a key's state without having to fetch and pass the full object. (access policy).

Method Route
PUT /api_keys/{{ api_key_id }}/{{ state }}
HEADERS
Name Type Required Description
X-User-Token String Yes User JSON Web Token (Generate)
Content-Type String Yes Required Value: application/json
URL parameters
Name Type Required Description
api_key_id String Yes The API key to be updated. Ref property: id above. Not property: key
action String Yes State of the API key to be updated
Accepted Values: active/inactive
REQUEST
curl \
-H "X-User-Token: $USER_TOKEN" \
-H "Content-Type: application/json" \
-X PUT https://api.massive.app/v1/api_keys/$API_KEY_ID/$ACTION

After a successful request the API key will be updated. This endpoint will then return an HTTP response with a status code of 204 No Content and an empty body.

If the key state has been set to inactive then any API requests that use the key in the headers will be rejected with error 401 unauthorized.

If the key state is suspended it cannot be activated or deactivated.

Delete API key

Authorized users can delete API keys. (access policy).

Method Route
DELETE /api_keys/{{ api_key_id }}
HEADERS
Name Type Required Description
X-User-Token String Yes User JSON Web Token
Content-Type String Yes Must be application/json
URL parameters
Name Type Required Description
api_key_id String Yes The API key to be updated. Ref property: id above. Not property: key
REQUEST
curl \
-H "X-User-Token: $USER_TOKEN" \
-H "Content-Type: application/json" \
-X DELETE https://api.massive.app/v1/api_keys/$API_KEY_ID

After a successful request the API key will be deleted. The endpoint will then return an HTTP response with a status code of 204 No Content and an empty body.

List API keys

The Team Owner can retrieve a list of all API keys that belong to a given Team.

Method Route
GET /teams/{{ team_id }}/api_keys
HEADERS
Name Type Required Description
X-User-Token String Yes User JSON Web Token
Content-Type String Yes Must be application/json
URL parameters
Name Type Required Description
team_id String Yes The team id to request api keys from. (Retrieved in (Generate))
REQUEST
curl \
-H "X-User-Token: $USER_TOKEN" \
-H "Content-Type: application/json" \
-X GET https://api.massive.app/v1/teams/$TEAM_ID/api_keys

After a successful request, this endpoint will return an HTTP response with a status code of 200 OK and a body similar to the one below.

[
    {
        "created_at": "2021-04-16T20:42:37.659Z",
        "description": "This is a sample key",
        "expiry": "2021-04-20T20:42:37.000Z",
        "id": "01F3E6QN6V9TYCSRCEXB5B9JWR",
        "last_request_at": "0001-01-01T00:00:00.000Z",
        "name": "Sample key",
        "state": "active",
        "updated_at": "2021-04-19T10:42:58.221Z"
    },
    {
        "created_at": "2021-04-16T19:29:46.381Z",
        "description": "This is a sample key that has been set to inactive",
        "expiry": "0001-01-01T00:00:00.000Z",
        "id": "01F3E2J8CDDM4XDXE8RRFWWCXY",
        "last_request_at": "2021-04-18T11:23:48.223Z",
        "name": "Inactive sample key",
        "state": "inactive",
        "updated_at": "2021-04-19T10:42:58.200Z"
    }
]

Use an API key

API keys can be supplied in the headers on endpoint methods that typically require the user authorization token: X-User-Token.

Sample: Listing sent packages

For full package documentation please reference Document: Packages

GET /teams/{{ team_id }}/packages

HEADERS
Name Type Required Description
X-API-KEY String Yes API key value
Content-Type String Yes Must be application/json
REQUEST
curl -H "X-API-KEY: $API_KEY" -H "Content-Type: application/json" -X POST https://api.massive.app/v1/teams/$TEAM_ID/packages

User methods that do not accept API keys

The following User methods require X-User-Token:

Method Route
GET /teams/{{ team_id }}/api_keys
PUT /api_keys/{api_key_id}
DELETE /api_keys/{api_key_id}
GET /teams/{team_id}/api_keys
POST /teams/{team_id}/api_keys
PUT /users/{user_id}
POST /users/{user_id}/password
PUT /users/{user_id}/email