1. Home
  3. Appendix


Basic Access Authentication (RFC 2617)


System Actors

client = the party sending the HTTP request. i.e. the API Client

server  = the party receiving the HTTP request. i.e. the endpoint, either MGW’s or the User’s


The implementation of HTTP Header “Authorization” is for the following core reasons:

1. Prove the identity of the client / user-agent

When required by the server, all requests are verified against the values set in the Authorization header.The server MUST either allow or deny requests based on the validity of the submitted header value

The authorization mechanism DOES NOT address confidentiality of the HTTP request. The HTTP Requests, however, MAY be sent via a secure transport (i.e. HTTPS) to achieve confidentiality.

The header value is formatted as: AuthType Credential


AuthType MUST be set to “Basic “.

Credential MUST be set as the encoded credential.

The ClientIdentity and Password must be combined into a string, then encoded using RFC2045-MIME variant of Base64, except not limited to 76char/line.

The ClientIdentity and Password will be provisioned and assigned to you by your Account Manager.


Permanent Redirects (Status 301 / 308)


The Messaging Gateway server MAY return status 301 or 308 in scenarios such as:

1. moved URL

2. HTTP to HTTPS upgrade

Connection Handling

  •  The API Client user-agent SHOULD expect the presence of the ‘Location’ http response header, the
    value of which is the new URL.
  • The API Client user-agent SHOULD follow the new URL and replay the complete preserved request
    (POST method, complete headers/auth, intact body) to the new URL location. This allows for
    graceful continuation of the request.

Setup Checklist

  • API Clients MUST be configured to use the correct, up-to-date HTTPS-based URL endpoint of the
    MGW server. This is to prevent unnecessary redirects (degrading performance in the process) and
    ensures a secure connection between the client and the server.


Rate Limits (Sending MT)


The Messaging Gateway server MAY rate-limit the API Client user-agent based on the following:

Criteria Scope Defaults
Unauthenticated requests per IP-address 50 reqs over 5mins period
Mobile Number Per Mobile Number (MT Document.to field) 5 reqs ver 60s period
API Account Per API-Client Account disabled by default

Connection Handling

  • The API Client user-agent MUST internally account for in-flight messages (i.e. awaiting responses)
    and MUST ensure that the rate limits provisioned are not breached.
  • The API Client user-agent MAY retry the request after a delay/back-off.
  •  For persistent rate-limits issues, please escalate and contact support.


Was this article helpful to you? Yes No

How can we help?