Skip to main content
The mgPass Rewards API supports three authentication methods depending on who is making the request.

Partner API Key

For external platforms publishing events and awarding points. 
curl -X POST https://auth.mgpass.net/api/partner/events \
  -H "X-API-Key: pk_live_your_api_key_here" \
  -H "Content-Type: application/json" \
  -d '{ "user_id": "usr_123", "event_type": "purchase" }'
API keys are issued during partner onboarding via the mgPass Admin Console. They are hashed with SHA-256 before storage — MG Digital cannot retrieve your key after issuance.

Key Rotation

If your key is compromised, contact MG Digital to rotate it. The old key is immediately invalidated and a new one is issued.

Rate Limits

Partner endpoints are rate-limited to 30 requests per minute per IP address. If exceeded, you’ll receive a 429 response with a Retry-After header.

User Bearer Token (OAuth 2.0)

For user-facing apps displaying balance, history, and initiating redemptions. Users authenticate through mgPass OAuth 2.0 / OIDC and receive an access token. Pass it as a Bearer token: 
curl https://auth.mgpass.net/api/account/rewards \
  -H "Authorization: Bearer eyJhbGciOiJFUzI1NiIs..."

Getting a User Token

Your app redirects users to the mgPass authorization endpoint: 
https://auth.mgpass.net/authorize?
  client_id=YOUR_CLIENT_ID&
  response_type=code&
  redirect_uri=https://yourapp.com/callback&
  scope=openid+profile+email&
  state=random_state_value
Exchange the authorization code for tokens at /api/token. See the mgPass OAuth documentation for full details.

Admin Bearer Token

For mgPass Admin Console and internal tools. Requires the mgpass:admin scope in the access token. 
curl https://auth.mgpass.net/api/rewards/rules \
  -H "Authorization: Bearer ADMIN_ACCESS_TOKEN"
Admin tokens are obtained through the same OAuth flow but require the user to have the mgpass:admin role assigned.

Security Best Practices

API keys should only be used in server-to-server communication. Never embed them in mobile apps, JavaScript bundles, or client-side code.
All API requests must use HTTPS. HTTP requests are automatically rejected.
When receiving webhook events, always verify the X-Webhook-Signature header using HMAC-SHA256 with your webhook secret.
Rotate your partner API key at least every 90 days. The admin console supports zero-downtime key rotation.

Session Lifetime

mgPass authentication sessions use a 30-day sliding window:
PropertyValue
Default session duration30 days
Sliding windowEvery authentication use (SSO check, token refresh) extends the session
”Remember me” checkedPersistent cookie (30-day expiry, survives browser restart)
“Remember me” uncheckedSession cookie (cleared on browser close)

Global Logout

Logging out from any mgPass surface (admin console, account portal, or any connected application) revokes sessions everywhere:
  1. The session cookie on .mgpass.net is cleared
  2. All refresh tokens for the user are revoked
  3. Admin and account workers are notified via back-channel (Cloudflare service bindings) to destroy their local sessions
  4. The user must re-authenticate on every application
This ensures that a single logout action provides complete session termination across the entire MG Digital ecosystem. For implementation details, see the SSO Guide.