Mailbox API – Authentication and Authorization

Axigen Documentation

Auth Methods

The Axigen Mailbox-API supports the following authentication and authorization methods:

  • OAuth 2.0 with OpenID Connect – for both browser based applications and mobile / native apps

  • Basic Authentication – in case OAuth 2.0 and OpenID Connect is not available

Note that using OAuth 2.0 and OpenID Connect is strongly recommended as it is the most secure option.

2-Step Verification and Catpcha are supported only when using OAuth 2.0 and OpenID Connect if enabled by the Authorization Server.


Request Headers







"Basic <username>:<password>", "Bearer <token>"

“Basic” – used to authenticate against internal user authentication mechanism when OAuth 2.0 and OpenID Connect are not available

“Bearer” – used to authenticate against an external authentication provider (such as OAuth 2.0 and OpenID Connect)


When successful, the endpoint returns the following JSON structure:

All subsequent API calls must use the same authentication method and include the session id in the X-Axigen-Session header.

Note that when using bearer token authorization, the username is unknown to Axigen until the token is validated against the external authentication provider.

In case the user can not be authenticated (i.e. wrong authentication credentials, invalid token, expired token, unknown user), the endpoint will reply back with 401 Unauthorized.