Backend for Open Source Android, iOS and Web Messenger

Estimated reading time: 9 minutes

The messenger apps you have just built uses two types of APIs:

  1. Private Backend APIs for login and creating creating users. These are private backend APIs that are only meant for use in the demo messenger apps. The messenger apps connect to your private API for login. In turn, the private API connects to the mesibo backend API to create a user token. One of the reasons why private APIs are needed is that mesibo backend API requires App token which is secret and hence your users cannot directly invoke mesibo API for security.

  2. mesibo Real-time APIs for real-time messaging, voice, and video calls. These APIs are on the users’ side.

Previously, you have used both kinds of above APIs which are already hosted by mesibo so that you can quickly play with the apps. In this part, we will learn about hosting private APIs on your infrastructure.

Messenger Private APIs

In this part, we will describe briefly how messenger Private APIs work, how to host private APIs on your infrastructure and extend it to your needs, for example, changing to the different authentication mechanisms.

Before you continue:

  • Ensure that you are familiar with mesibo APIs and have already gone through Getting Started guide and First Mesibo App tutorial.

  • Remember that, private APIs are not the replacement for mesibo backend APIs. As mentioned above, private APIs invoke mesibo backend APIs. You will still need to invoke mesibo API at for adding users, groups, members, etc.

  • If you are using the app as it is, you will require an SMS service provider to send OTP for login verification. If you like to change the authentication mechanism to something else, say, email or enterprise login, refer to the section below - Using different authentication mechanism.

Let’s get started.

User Login and Authentication

When a new user signs-up up, the messenger will communicate with private APIs for login and verification. The private APIs verifies the new sign-in (say, using username/password, OTP, etc.). If successful, it registers this user with mesibo using mesibo backend API. mesibo returns a token for this user which you can give it to your app so that your app can communicate using mesibo real-time API.

How mesibo works

mesibo login

Refer, Getting Started guide for more details.

Your goal is to create a mesibo user and generate an access token for a valid user. The way you determine whether a user is valid or not, how you implement the authentication step is up to you. For example, messenger demo applications use simple phone authentication. An OTP is sent to users’ mobile number for verification. When the user enters OTP for verification, private API contacts mesibo backend API to generate an access token.

The way you determine whether a user is valid or not is entirely up to you. Your app can decide how you implement the authentication method (say, email, OAuth2, Radius, LDAP, or anything of your choice) and modify the private API accordingly.

The following API request will inform the private API to initiate a login and send an OTP to the phone number the user signs up with.

with payload,

{op: "login", phone: "18005551234", appid: "com.messenger.appid"}

You will get a response like below

{op: "login", ts: 1592890269, result: true}

Once the user receives an OTP and enters, the messenger will invoke the same API but with OTP this time. If OTP matches then authentication is successful and in response to this request you will get the access token generated for that user.

For example, if the OTP received on the phone number is 123456, API will be invoked with OTP

{op: "login", phone: "18005551234", appid: "com.messenger.appid", otp: "123456"}

On success, the API will send a response similar to the following:

{ op: "login", result: true, token: "bfab7bxxxxxxxxxxxxxxxxxxxxxxxxxx", ... }

If the response[‘result’] is true meaning that the API request is successful and the access token is available un in response[‘token’]. Messenger apps then use this access token to initialize mesibo real-time API. Messenger apps also initiate contact synchronization immediately after the login.

Now we will learn how to host private APIs on your server.

Hosting Messenger Private APIs


Before we dive into setting up the private APIs for the Messenger apps, please ensure that the following servers are running.

  • A web server with HTTPS and PHP support. Depending on the web server (apache / h2o/ Lighttpd/ Nginx) you are using, the setup varies. In the subsequent examples, we will assume that your hostname is and the backend code which you will download soon is accessible via URL

  • Mesibo API Key and the App token. Refer to First Mesibo App tutorial to learn about how to get API key and App token.

We will also need Google Maps keys which we registered in the previous part.

Downloading the private APIs Source Code

The latest code for the private APIs is always updated and pushed on messenger-app-backend repository.

There are multiple ways of “downloading” code from GitHub.

If you have git installed, this is a recommended approach as you can quickly sync and stay up to date with the latest version. This is also a preferred way of downloading the code if you decide to contribute to the project.

To download, open a terminal and issue following commands:

$ git clone

Download the code as a zip file

You can also download the full backend source code as a zip file. Although simple, the downside of this approach is that you will have to download the full source code every time it is updated on the repository.

Click on the Download button to start downloading.


Once the download completes, unzip into a folder.

Stay Up-to-date

Whatever approach you take to download the code, it is important to stay up-to-date with the latest changes, new features, fixes etc. Ensure to Star(*) the project on GitHub to get notified whenever the source code is updated.


Configuring the Private API

We now have all the information to configure and go live with private API on your own servers.

Open mesiboconfig.php in the downloaded code and enter app token which you obtained from the mesibo console.

That’s it! We are now ready to test the backend!

Testing your Private API

It’s time now to test the backend. Use curl, postman or any other tools to send a test request

{op: "login", phone: "18005551234", appid: "com.messenger.appid"}

Using curl

$ curl --header "Content-Type: application/json" --request POST --data '{op: "login", phone: "18005551234", appid: "com.messenger.appid"}'

this should output like the following

{op: "login", ts: 1592890269, result: true}

Above output indicates that the backend appears to be set up correctly. The next step is to update the Android and iOS Apps you have built in previous parts with the new backend.

Sending OTP to your users

The private API generates an OTP and prints it to the PHP error.log which you can use for testing. However, for a real deployment, you need to send OTP to the user for them to enter it on the login screen. You can use any SMS provider to send the OTP to the user.

Refer to the sendOtpToUser function in the private APIs to learn more.

Push Notifications

The last set of information you need is to enable push notification for Android and iOS. You will need the following credentials:

  • Google FCM/GCM Key for Android Push notification.
  • Apple VoIP Certificate and passphrase.

Refer to Google FCM and Apple push notification document to get above credentials. Once you get them, you need to configure Push Notification credentials in Mesibo Console by clicking on your App and then in Push Notifications tab. Refer to the mesibo Push Notification Documentation to learn more.

Configure Apps to use your Private API

Edit the following files in the Messenger apps to use your own private API URL (replacing with the new one).


  • Edit app/src/main/res/values/strings.xml and enter Google map key in the GOOGLE_MAP_KEY field.
  • Edit and change mApiUrl which is pointing to to your own private API URL.


  • Click on Info.plist, enter Google map key in the GoogleMapKey field.
  • In the same file, enter your own private API URL in the MessengerApiUrl field.


  • Exit mesibo/config.js to change the URL

That’s it. Recompile both the apps and start using it!

You can now see any new user and group you create in the Mesibo console along with statistics.

Using different authentication mechanism

For the messenger, we have used phone-based authentication. It is just an example and we do not recommend or enforce any particular login method. You can replace it with any other authentication mechanism, for example, email, user-id, LDAP, RADIUS, OAuth2, Kerberos, SAML, etc. All you need to do is that you generate a mesibo user token using your secret App Token only after your user passed your authentication.

These are two places where you need to make changes:

  1. your own login screens so that your users can enter the required credentials, for example, email, user-id, or the password.

  2. Private APIs. You can change it to whatever authentication check your App does. For example, checking your own database for a valid user.


In this part, we have learnt about hosting private APIs on your own infrastructure. In the next part, we will learn about how to host Mesibo real-time server on your own premise.

On to Part 7 >>

open, source, whatsapp, mesibo, ios, backendm web