Docs

REST API reference

All management endpoints are HTTP/JSON, JWT-authenticated for browsers, API-key-authenticated for servers. OpenAPI 3 specs are downloadable from the admin dashboard.

Authentication

Browser sessions

Sign in at the relevant dashboard (publisher / advertiser / admin). Cookies and short-lived JWTs are issued automatically; the SDK clients in our docs all use them.

JWT (browser)

# 1. Sign in (browser flow returns httpOnly cookies; here we use JSON)
curl -fsS https://api.mpwa.to/v1/auth/login \
  -H "Content-Type: application/json" \
  -d '{"email":"you@example.com","password":"..."}'
# → { "accessToken": "eyJ…", "refreshToken": "..." }

# 2. Use the access token on subsequent calls (15 min lifetime)
curl -fsS https://api.mpwa.to/v1/reports/overview \
  -H "Authorization: Bearer eyJ…"

Server-to-server (API keys)

Generate an API key in Settings → API Keys. Pass it as the Bearer token. Keys are scoped to the issuing user's role and respect the same RBAC.

API key (server-to-server)

# Generate a key in Settings → API Keys, then:
curl -fsS https://api.mpwa.to/v1/campaigns \
  -H "Authorization: Bearer mpk_live_..."

Rate limits

Default 2000 req/min per user/key. Login + signup are tighter (10/min and 5/min). Bursts return 429 with a Retry-After header.

Services

Eight back-end services expose OpenAPI 3 at /docs-json. Download specs from the admin dashboard for a Postman/Bruno/Insomnia import.

auth/v1/auth
JWT + refresh, MFA, API keys, GDPR data-export.
publisher/v1/sites · /v1/ad-units · /v1/publishers
Sites, ad units, publisher profile, payout settings, CMP config.
advertiser/v1/campaigns · /v1/creatives · /v1/conversion-goals
Advertisers, campaigns, creatives, conversion goals.
reporting/v1/reports
Overview, hourly, attribution, viewability, video, floor.
audience/v1/audiences · /v1/segments · /v1/consent
Audiences (rules/list/lookalike), segments, consent ledger.
billing/v1/billing · /v1/payouts
Wallets, invoices, payouts, daily spend rollup.

Service	Path prefix	Description
auth	/v1/auth	JWT + refresh, MFA, API keys, GDPR data-export.
publisher	/v1/sites · /v1/ad-units · /v1/publishers	Sites, ad units, publisher profile, payout settings, CMP config.
advertiser	/v1/campaigns · /v1/creatives · /v1/conversion-goals	Advertisers, campaigns, creatives, conversion goals.
reporting	/v1/reports	Overview, hourly, attribution, viewability, video, floor.
audience	/v1/audiences · /v1/segments · /v1/consent	Audiences (rules/list/lookalike), segments, consent ledger.
billing	/v1/billing · /v1/payouts	Wallets, invoices, payouts, daily spend rollup.

Authenticated customers can download the OpenAPI 3 spec for each service from their dashboard's API keys page (server-to-server) or by importing the live endpoints into Postman / Bruno / Insomnia.

OpenRTB 2.6

Server-to-server bid endpoint. Both buy-side (DSP) and sell-side (SSP) flows accepted; the contract is the IAB OpenRTB 2.6 JSON spec. We answer in < 50 ms, p99.

OpenRTB request

POST /openrtb/2.6/bid HTTP/1.1
Host: ads.mpwa.to
Content-Type: application/json

{
  "id": "0000113",
  "imp": [{ "id": "1", "banner": { "w": 728, "h": 90 } }],
  "site": { "id": "publisher-1", "domain": "example.com" },
  "user": { "id": "hashed-uid-..." },
  "at": 2,
  "tmax": 120
}

Errors

All errors return a JSON body with `statusCode`, `error`, `message`, and an optional `details` array. Validation failures use 400; auth uses 401/403; not-found uses 404; conflicts use 409; rate-limit uses 429.

error shape

{
  "statusCode": 400,
  "error": "Bad Request",
  "message": "validation failed",
  "details": [
    { "path": ["body", "name"], "code": "too_small", "minimum": 3 }
  ]
}

SDK install Back to docs