API Basics

Jump to Section

The Mambu Process Orchestrator (MPO) Remote Procedure Call API allows you to create and modify tasks, edit process logic, and manage users programmatically.

We recommend using API v2 of the MPO API in most instances.

Please Note:
The MPO API is completely independent from the core Mambu API. You may use v1 of one and v2 of the other.

API Overview

The MPO API is a Remote Procedure Call (RPC) API that accepts JSON. Unless otherwise indicated, all requests use the HTTP POST operation, and the desired operation is specified in the request body in JSON. The API requires API keys, and each key has a name, a numeric API login and an API Secret.

Most calls to the MPO API use the following endpoint:

BASE_URL/api/API_VERSION/json/API_LOGIN/GMT_UNIXTIME/SIGNATURE

Headers

All API calls require the following headers:

'Content-type: application/json; charset=utf8'

BASE_URL

This URL is provided to you in the signup email. If your instance is in a shared environment, the URL may look like this: https://ireland2.mpo.mambu.com/. If you have a dedicated environment, the url may look like this: https://TENANT_NAME.mpo.mambu.com/.

API_VERSION

Specify the MPO API version. Use 2 for API v2 and 1 for API v1. We recommend using API v2 of the MPO API in most instances.

API_LOGIN

Specify the API user who is accessing the API. You can find your API Login by going to Users & Groups > API keys in the MPO UI. Find your API user and copy the number in the second column, under Login.

Creating API keys in the MPO UI

GMT_UNIXTIME

Unix timestamp in seconds, such as 1631171468. This value must be generated at the time the request is issued. We recommend generating this value using a standard library, such as the JavaScript Moment library.

SIGNATURE

Signatures are used to authenticate requests. They are a hexadecimal representation of the SHA hash of the Unix timestamp, your API secret, and the request body concatenated with a + symbol.

Hex ( SHA_HASH (gmtUnixTime + API Secret + Request Body + API Secret) )

The following algorithms can be used to encrypt your requests:

SHA-1
SHA-224
SHA-256
SHA-384
SHA-512

For information on where to find your API secret, see API Secret in the Authentication section.

Example of generating signature

In the following example, we are generating a signature for a request with the request body shown below, using the GMT_UNIXTIME value of 1624614902 and sample API secret value of hNThdrdYYWKm7om8zNURRppAnh0Cod3anp7JsiCmNWPM8p56tv.

{
     "timeout": 30,
          "ops": [{
               "conv_id": {processID},
               "type": "create",
               "obj": "task",
               "data": {
                    "param": 1
               }
          }]
}

Concatenate all of the required values:

1624614902 + hNThdrdYYWKm7om8zNURRppAnh0Cod3anp7JsiCmNWPM8p56tv + {"timeout": 30,"ops": [{"conv_id": {processID},"type": "create","obj": "task","data": {"param": 1}}]} + hNThdrdYYWKm7om8zNURRppAnh0Cod3anp7JsiCmNWPM8p56tv

Hash the result using SHA-1 (or one of the other Secure Hash Algorithms that MPO supports), yielding:

e27118f58c22f410b360d8122a6f3df42d5a5e42

Convert the result to a hexadecimal value. This is your signature.

653237313138663538633232663431306233363064383132326136663364663432643561356534320a

Using a script to create a signature

We recommend using a pre-request script to create your signature programmatically.

You can create a signature using a pre-request function or script. Below is a sample JavaScript script that may be used as a pre-request script in Postman.

This script requires Postman to be configured with the environment variables apiSecret, unixTime, signature, apiSecret and processID.

var moment = require('moment');
var unixtime = moment().unix();
var secret = pm.environment.get("apiSecret");
var procId = pm.environment.get("processID");

pm.environment.set("unixTime", unixtime);

var body = request.data;

body = body.replace(/{processID}/ig, procId);

var signature = CryptoJS.SHA1(unixtime + secret + body + secret);

pm.environment.set("signature", CryptoJS.enc.Hex.stringify(signature));

Request body

Depending on the request, the actual contents of your request body may differ greatly, but this example request for an API key shows the general structure:

{
     "ops": [{
               "type": "get",
               "obj": "chart",
               "obj_id": "5f3d452f82ba960c30188781",
               "params": [],
               "company_id": "i404856373",
               "id": "23242"
          }]
}

Parameter	Type	Description	Required
`ops`	JSON Object	A list enclosing all the tasks to run on MPO.	Yes
`ops[].type`	string	The type of task.	Yes
`ops[].obj`	string	An object type to run the tasks on.	No
`ops[].obj_id`	string	The ID of the object.	No
`ops[].params`	string	A list of parameters or variables to pass to the task.	No
`ops[].company_id`	string	The ID of the company. This can be retrieved from your MPO URL when you are logged into the MPO UI (e.g `https://TENANT_NAME.mpo.mambu.com/i123456789/workspace/`).	Yes
`ops[].id`	string	An ID that is echoed in the response to match a response to a request.	No

Authentication

API keys allow you to authenticate API requests. An API secret is auto-generated when you create an API key, and may then be used to secure your requests. In most cases, you must also create a signature.

Please Note:
API keys and secrets are visible to all users on your MPO instance, including non-administrator users. Any user may copy an API secret and use it for a request. Make sure that your list of users is limited to only those who need access.

MPO does not support key rotation or expiration. For instructions on how to revoke API keys, see Revoking API Keys in the UI.

Please Note:
API keys for MPO are separate from API keys for the Mambu API. Mambu API consumers cannot generate MPO keys, and MPO keys cannot be used for Mambu Core, or vice versa.

Creating API keys in the UI

Log in with a user with administrator access.
Go to the Users & Groups tab.
Select Create > API keys in the top-right.
Give your API key a title in the pop-up.
Go to the API keys tab to get the API ID and to copy the API secret.

Revoking API keys in the UI

Log in with a user with administrator access.
Go to the Users & Groups tab.
Go to the API keys section.
Select Remove next to the API keys you want to remove.

API secret

The API secret is provided when you create an API key. The API secret is a required part of a signature. You can find your API secret by going to Users & Groups > API keys in the MPO UI. Find your API user and select the copy icon in the third column.

Creating API keys using the API

You can create API keys using the following URL template:

BASE_URL.mpo.mambu.com/api/2/json/API_LOGIN/GMT_UNIXTIME/SIGNATURE

With this request body:

{
     "ops": [{
          "type": "create",
          "obj": "user",
          "title": "api-key-name",
          "logins": [{
               "type": "api"
          }],
          "company_id": "i123456789"
     }]
}

Parameter	Type	Description	Required
`ops`	JSON Object	A list enclosing all the tasks to run on MPO.	Yes
`ops[].type`	string	The type of task. Must be `create`.	Yes
`ops[].obj`	string	An object type. Must be `user`.	Yes
`ops[].title`	string	A name for the API Key	Yes
`ops[].logins`	array	A list enclosing the login type.	Yes
`ops[].logins[].type`	string	The login type. In this case, `api` for the API key.	Yes
`ops[].company_id`	string	The ID of the company. This can be retrieved from your MPO URL when you are logged into the MPO UI (e.g `https://TENANT_NAME.mpo.mambu.com/i123456789/workspace/`).	Yes

Responses

The secret value is returned in the key field.

{
    "request_proc": "ok",
    "ops": [{
               "id": "",
               "obj": "user",
               "proc": "ok",
               "users": [{
                    "obj_id": 76332,
                    "title": "Here we go again",
                    "logins": [{
                            "type": "api",
                            "key": "h4GSZNqPvkyi7L1IyyzMe8OtPj56xPX2rxNrbvaO6y20075ZPX",
                            "obj_id": 113135
                    }]
               }]
     }]
}

parameter	description
`request_proc`	Returns `ok` if all the tasks ran successfully or errors if otherwise.
`ops`	A list enclosing responses from all of the tasks run on MPO.
`ops[].id`	A request ID.
`ops[].proc`	Returns `ok` if a particular task runs successfully or errors if otherwise.
`ops[].obj`	An object type. Usually `user`.
`ops[].users`	A list of users created by the request.
`ops[].users[].obj_id`	The ID of the API key.
`ops[].users[].title`	The name of the API key.
`ops[].users[].logins`	A list of the details of the API key.
`ops[].users[].logins[].type`	The login type. Will return `api` for API keys.
`ops[].users[].logins[].key`	The API key’s secret.
`ops[].users[].logins[].obj_id`	An ID of API key login.

API Quickstart