API Basics
The Mambu Process Orchestrator (MPO) Remote Procedure Call API allows you to create and modify tasks, edit process logic, and manage users programmatically.
We recommend using API v2 of the MPO API in most instances.
The MPO API is completely independent from the core Mambu API. You may use v1 of one and v2 of the other.
API Overview
The MPO API is a Remote Procedure Call (RPC) API that accepts JSON. Unless otherwise indicated, all requests use the HTTP POST
operation, and the desired operation is specified in the request body in JSON. The API requires API keys, and each key has a name, a numeric API login and an API Secret.
Most calls to the MPO API use the following endpoint:
BASE_URL/api/API_VERSION/json/API_LOGIN/GMT_UNIXTIME/SIGNATURE
Headers
All API calls require the following headers:
'Content-type: application/json; charset=utf8'
BASE_URL
This URL is provided to you in the signup email. If your instance is in a shared environment, the URL may look like this: https://ireland2.mpo.mambu.com/
. If you have a dedicated environment, the url may look like this: https://TENANT_NAME.mpo.mambu.com/
.
API_VERSION
Specify the MPO API version. Use 2
for API v2 and 1
for API v1. We recommend using API v2 of the MPO API in most instances.
API_LOGIN
Specify the API user who is accessing the API. You can find your API Login by going to Users & Groups > API keys in the MPO UI. Find your API user and copy the number in the second column, under Login.
GMT_UNIXTIME
Unix timestamp in seconds, such as 1631171468
. This value must be generated at the time the request is issued. We recommend generating this value using a standard library, such as the JavaScript Moment library.
SIGNATURE
Signatures are used to authenticate requests. They are a hexadecimal representation of the SHA hash of the Unix timestamp, your API secret, and the request body concatenated with a +
symbol.
Hex ( SHA_HASH (gmtUnixTime + API Secret + Request Body + API Secret) )
The following algorithms can be used to encrypt your requests:
- SHA-1
- SHA-224
- SHA-256
- SHA-384
- SHA-512
If you are using a signature algorithm other than the default one (SHA-1), please add the conv-signature-algorithm header to your request. Example: –header ‘conv-signature-algorithm: sha256’.
For information on where to find your API secret, see API Secret in the Authentication section.
Example of generating signature
- In the following example, we are generating a signature for a request with the request body shown below, using the
GMT_UNIXTIME
value of1624614902
and sample API secret value ofhNThdrdYYWKm7om8zNURRppAnh0Cod3anp7JsiCmNWPM8p56tv
.
{
"timeout": 30,
"ops": [{
"conv_id": {processID},
"type": "create",
"obj": "task",
"data": {
"param": 1
}
}]
}
- Concatenate all of the required values:
1624614902 + hNThdrdYYWKm7om8zNURRppAnh0Cod3anp7JsiCmNWPM8p56tv + {"timeout": 30,"ops": [{"conv_id": {processID},"type": "create","obj": "task","data": {"param": 1}}]} + hNThdrdYYWKm7om8zNURRppAnh0Cod3anp7JsiCmNWPM8p56tv
- Hash the result using SHA-1 (or one of the other Secure Hash Algorithms that MPO supports), yielding:
e27118f58c22f410b360d8122a6f3df42d5a5e42
- Convert the result to a hexadecimal value. This is your signature.
653237313138663538633232663431306233363064383132326136663364663432643561356534320a
Using a script to create a signature
We recommend using a pre-request script to create your signature programmatically.
You can create a signature using a pre-request function or script. Below is a sample JavaScript script that may be used as a pre-request script in Postman.
This script requires Postman to be configured with the environment variables apiSecret
, unixTime
, signature
, apiSecret
and processID
.
var moment = require('moment');
var unixtime = moment().unix();
var secret = pm.environment.get("apiSecret");
var procId = pm.environment.get("processID");
pm.environment.set("unixTime", unixtime);
var body = request.data;
body = body.replace(/{processID}/ig, procId);
var signature = CryptoJS.SHA1(unixtime + secret + body + secret);
pm.environment.set("signature", CryptoJS.enc.Hex.stringify(signature));
Request body
Depending on the request, the actual contents of your request body may differ greatly, but this example request for an API key shows the general structure:
{
"ops": [{
"type": "get",
"obj": "chart",
"obj_id": "5f3d452f82ba960c30188781",
"params": [],
"company_id": "i404856373",
"id": "23242"
}]
}
Parameter | Type | Description | Required |
---|---|---|---|
ops | JSON Object | A list enclosing all the tasks to run on MPO. | Yes |
ops[].type | string | The type of task. | Yes |
ops[].obj | string | An object type to run the tasks on. | No |
ops[].obj_id | string | The ID of the object. | No |
ops[].params | string | A list of parameters or variables to pass to the task. | No |
ops[].company_id | string | The ID of the company. This can be retrieved from your MPO URL when you are logged into the MPO UI (e.g https://TENANT_NAME.mpo.mambu.com/i123456789/workspace/ ). | Yes |
ops[].id | string | An ID that is echoed in the response to match a response to a request. | No |
Authentication
API keys allow you to authenticate API requests. An API secret is auto-generated when you create an API key, and may then be used to secure your requests. In most cases, you must also create a signature.
API keys and secrets are visible to all users on your MPO instance, including non-administrator users. Any user may copy an API secret and use it for a request. Make sure that your list of users is limited to only those who need access.
MPO does not support key rotation or expiration. For instructions on how to revoke API keys, see Revoking API Keys in the UI.
API keys for MPO are separate from API keys for the Mambu API. Mambu API consumers cannot generate MPO keys, and MPO keys cannot be used for Mambu Core, or vice versa.
Creating API keys in the UI
- Log in with a user with administrator access.
- Go to the Users & Groups tab.
- Select Create > API keys in the top-right.
- Give your API key a title in the pop-up.
- Go to the API keys tab to get the API ID and to copy the API secret.
Revoking API keys in the UI
- Log in with a user with administrator access.
- Go to the Users & Groups tab.
- Go to the API keys section.
- Select Remove next to the API keys you want to remove.
API secret
The API secret is provided when you create an API key. The API secret is a required part of a signature. You can find your API secret by going to Users & Groups > API keys in the MPO UI. Find your API user and select the copy icon in the third column.
Creating API keys using the API
You can create API keys using the following URL template:
BASE_URL.mpo.mambu.com/api/2/json/API_LOGIN/GMT_UNIXTIME/SIGNATURE
With this request body:
{
"ops": [{
"type": "create",
"obj": "user",
"title": "api-key-name",
"logins": [{
"type": "api"
}],
"company_id": "i123456789"
}]
}
Parameter | Type | Description | Required |
---|---|---|---|
ops | JSON Object | A list enclosing all the tasks to run on MPO. | Yes |
ops[].type | string | The type of task. Must be create . | Yes |
ops[].obj | string | An object type. Must be user . | Yes |
ops[].title | string | A name for the API Key | Yes |
ops[].logins | array | A list enclosing the login type. | Yes |
ops[].logins[].type | string | The login type. In this case, api for the API key. | Yes |
ops[].company_id | string | The ID of the company. This can be retrieved from your MPO URL when you are logged into the MPO UI (e.g https://TENANT_NAME.mpo.mambu.com/i123456789/workspace/ ). | Yes |
Responses
The secret value is returned in the key
field.
{
"request_proc": "ok",
"ops": [{
"id": "",
"obj": "user",
"proc": "ok",
"users": [{
"obj_id": 76332,
"title": "Here we go again",
"logins": [{
"type": "api",
"key": "h4GSZNqPvkyi7L1IyyzMe8OtPj56xPX2rxNrbvaO6y20075ZPX",
"obj_id": 113135
}]
}]
}]
}
parameter | description |
---|---|
request_proc | Returns ok if all the tasks ran successfully or errors if otherwise. |
ops | A list enclosing responses from all of the tasks run on MPO. |
ops[].id | A request ID. |
ops[].proc | Returns ok if a particular task runs successfully or errors if otherwise. |
ops[].obj | An object type. Usually user . |
ops[].users | A list of users created by the request. |
ops[].users[].obj_id | The ID of the API key. |
ops[].users[].title | The name of the API key. |
ops[].users[].logins | A list of the details of the API key. |
ops[].users[].logins[].type | The login type. Will return api for API keys. |
ops[].users[].logins[].key | The API key’s secret. |
ops[].users[].logins[].obj_id | An ID of API key login. |