Backend for Open Source Android and iOS Messenger

Estimated reading time: 13 minutes

The messenger apps you have just built using two types of APIs:

  1. Private Backend APIs for administrative tasks such as creating users, groups, etc. These are private backend APIs that are only meant for use in the demo messenger apps. The messenger apps connect to your private API for login and other administrative tasks like contact synchronization, create groups, etc. In turn, the private API connects to the mesibo backend API to perform the necessary operations, for example, creating a user token, creating a group, etc. One of the reasons why private APIs are needed is that mesibo backend API requires App token which is secret and hence your users cannot directly invoke mesibo API for security. Secondly, you will have your own database for users for administrative tasks and contact synchronizations.

  2. mesibo Real-time APIs for real-time messaging, voice, and video calls. These APIs are on the users’ side.

Previously, you have used both kinds of above APIs which are already hosted by mesibo so that you can quickly play with the apps. In this part, we will learn about hosting private APIs on your infrastructure.

Messenger Private APIs

In this part, we will describe briefly how messenger Private APIs work, how to host private APIs on your infrastructure and extend it to your needs, for example, changing to the different authentication mechanisms.

Before you continue:

  • Ensure that you are familiar with mesibo APIs and already gone through Getting Started guide and First Mesibo App tutorial.

  • Remember that, private APIs are not the replacement for mesibo backend APIs. As mentioned above, private APIs invoke mesibo backend APIs. You will still need to invoke mesibo API at for adding users, groups, members, etc.

  • If you are using the app as it is, you will require an SMS service provider to send OTP for login verification. If you like to change the authentication mechanism to something else, say, email or enterprise login, refer to the section below - Using different authentication mechanism.

Let’s get started.

User Login and Authentication

When a new user signs-up up, the messenger will communicate with private APIs for the login and verification. The private APIs verifies the new sign-in (say, using username/password, OTP, etc.). If successful, it saves the user in a database and then registers this user with mesibo using mesibo backend API. mesibo returns a token for this use which you can give it to your app so that your app can communicate using mesibo real-time API.

How mesibo works

mesibo login

Refer, Getting Started guide for for more details.

Your goal is to create a mesibo user and generate an access token for a valid user. The way you determine whether a user is valid or not, how you implement the authentication step is up to you. For example, messenger demo applications use simple phone authentication. An OTP is sent to users’ mobile number for verification. When the user enters OTP for verification, private API contacts mesibo backend API to generate an access token.

The way you determine whether a user is valid or not is entirely up to you. Your app can decide how you implement the authentication method (say, email, OAuth2, Radius, LDAP, or anything of your choice) and modify the private API accordingly.

The following API request will inform private API to initiate a login and send an OTP to the phone number the user signs up with.

For example,

You will get a response like below

{op: "login", ts: 1592890269, result: "OK"}

Once the user receives an OTP and enters, the messenger will invoke the same API but with OTP this time. If OTP matches then authentication is successful and in the response of this request you will get the access token generated for that user.

For example, if the OTP received on the phone number is 123456

On success, the API will send response similar to the following:

cc: "91"
downloadurl: ""
fileurl: ""
google: "AIzaSyBE32csNi3_SyGVrTSNMMSFH5t8g2M9zHU"
invite: "Hey, I use Mesibo for free messaging, voice and video calls. Download it from"
name: ""
op: "login"
phone: "91xxxxxxxxxx"
photo: "1587123154-3c7462a54cfb2ded.jpg"
result: "OK"
share: {text: "Hey, I use Mesibo for free messaging, voice and video calls. Download it from", subject: "Mesibo Messenger: Open Source Messenger", title: "Invite a friend via"}
status: "user status"
tn: "hdalkjhqwrhqr......"
token: "bfab7bxxxxxxxxxxxxxxxxxxxxxxxxxx"
ts: 1592891231
uploadurl: ""
urls: { download: "", upload: ""}

If the response[‘result’] is OK meaning that the API request is successful and the access token is available un in response[‘token’]. Messenger apps then use this access token to initialize mesibo real-time API. Messenger apps also initiate contact synchronization immediately after the login.

Contact Synchronization

Contact Synchronization allows your users to

  • find their contacts who are already using the app so that they can communicate with them

  • find groups they are a member of

To achieve this, each user sends phone contacts to the server and then server matches to find who is in whose contact list. Hence, you need to obtain the list of contacts stored on your device and send it to your private API. You also need to mark contacts as synchronized to avoid sending again in the next startup.

To facilitate contact synchronization, you can invoke following private API

To synchronize contacts, you need to invoke this API with the following parameters:

  • op = “getcontacts”
  • token = Access Token obtained in the login process.
  • ts = Last known sync time. You only need to fetch the changes after your previous sync. For the first time sync call pass 0 ie; ts=0
  • phones An array of phone numbers who you need to check if they are using the mesibo demo app. If you do no pass, you will get a list of all contacts from the previous sync and a list of groups you are member of.

For example,[]

Your response will look like

contacts: (13) [{…}, {…}, {…}, {…}, {…}, {…}, {…}, {…}, {…}, {…}, {…}, {…}, {…}]
downloadurl: ""
fileurl: ""
invite: "Hey, I use Mesibo for free messaging, voice and video calls. Download it from"
op: "getcontacts"
result: "OK"
share: {text: "Hey, I use Mesibo for free messaging, voice and video calls. Download it from", subject: "Mesibo Messenger: Open Source Messenger", title: "Invite a friend via"}
ts: 1592891231
u: {name: "", phone: "91xxxxxxxxxx", status: "update profile", photo: "1587123154-3c7462a54cfb2ded.jpg", ts: "1592891231", …}
uploadurl: ""
urls: { download: "", upload: ""}

In the response of getcontacts request you will get:

  1. A list of your contacts who are using the demo app The contacts array response['contacts] will look like below
    0: {name: "abc", status: "This  status", phone: "91xxxxxxxxxx", photo: "1561540844-553cd2389099c839.jpg", gid: "0", …}
    1: {name: "def", status: "", phone: "91xxxxxxxxxx", photo: "", gid: "0", …}
  2. The latest status and profile pictures of each of these contacts using the demo app.

  3. Your own profile picture and status in the demo app, response['u']
    connection_status: ""
    name: ""
    phone: "91xxxxxxxxxx"
    photo: "1587123154-3c7462a54cfb2ded.jpg"
    status: "update profile"
    ts: "1592891231"
  4. Any groups you have subscribed to.
gid: "20971"
members: "1:91xxxxxxxxxx,91xxxxxxxxxx,91xxxxxxxxxx,91xxxxxxxxxx"
name: "Test group"
phone: ""
photo: ""
status: ""
ts: "1566287105"

The messenger app then users user profile APIs to store all the contacts in the local database and showing it to the user.

There are many such operations performed by Private API. It is not the scope of this tutorial to explain each and every part of the demo app. The source code is self-explanatory. You can modify it to suit your needs.

Now we will learn how to host private APIs on your server.

Hosting Messenger Private APIs


Before we dive into setting up the private APIs for the Messenger apps, please ensure that the following servers are running.

  • A web server with HTTPS and PHP support. Depending on the web server (apache / h2o/ Lighttpd/ Nginx) you are using, the setup varies. In the subsequent examples, we will assume that your hostname is and the backend code which you will download soon is accessible via URL

  • MySQL server

  • Mesibo API Key and the App token. Refer to First Mesibo App tutorial to learn about how to get API key and App token.

We will also need Google Maps keys which we registered in the previous part.

Downloading the private APIs Source Code

The latest code for the private APIs is always updated and pushed on messenger-app-backend repository.

There are multiple ways of “downloading” code from GitHub.

If you have git installed, this is a recommended approach as you can quickly sync and stay up to date with the latest version. This is also a preferred way of downloading the code if you decide to contribute to the project.

To download, open a terminal and issue following commands:

$ git clone

Download the code as a zip file

You can also download the full backend source code as a zip file. Although simple, the downside of this approach is that you will have to download the full source code every time it is updated on the repository.

Click on the Download button to start downloading.


Once the download completes, unzip into a folder.

Stay Up-to-date

Whatever approach you take to download the code, it is important to stay up-to-date with the latest changes, new features, fixes etc. Ensure to Star(*) the project on GitHub to get notified whenever the source code is updated.


Setting up the Database

You will need to set up a database so that backend can store various information:

  • Users phone number and login token
  • Groups, group members, and group admins
  • Users contacts for contact synchronizations.
  • Google and Apple push notification tokens

The private APIs uses MySQL as the database. We will not go into details of setting up MySQL server; there are plenty of tutorials on the web if you are not familiar. Once you’ve set up the MySQL server, create a database and the credentials. These credential will be needed by the backend code to access the database.

The next step is to create the database schema using the supplied SQL file mysql-schema.sql. Run following to create the database schema for the backend.

$ mysql -h <host> -u <username> -p <password> <dbname> < mysql-schema.sql

Push Notifications

The last set of information you need is to enable push notification for Android and iOS. You will need the following credentials:

  • Google FCM/GCM Key for Android Push notification.
  • Apple VoIP Certificate and passphrase.

Refer to Google FCM and Apple push notification document to get above credentials. Once you get them, you need to configure Push Notification credentials in Mesibo Console by clicking on your App and then in Push Notifications tab.

Configuring the Private API

We now have all the information to configure and go live with private API on your own servers.

Open config.php in the downloaded code and enter all the information we have obtained above, namely:

  • MySQL host, database name, username, and password
  • Google Maps key
  • Mesibo API Key, and App Token

You will also need to set files_path and files_tn_path to valid paths on your server where backend will store the profile pictures.

That’s it! We are now ready to test the backend!

Testing your Private API

It’s time now to test the backend. Open in your browser. It should output

{ "code": "NOOP", "result": "FAIL" }

Above output indicates that the backend appears to be set up correctly. You can further test by opening api.php with some parameters. For example,

this should output like the following

 { "op": "login", "ts": 1555861088, "error": "BADAKTOKEN", "result": "FAIL" }

Looks fine! The next step is to update the Android and iOS Apps you have built in previous parts with the new backend.

Configure Apps to use your Private API

Edit the following files in the Messenger apps to use your own private API URL (replacing with the new one).


  • Edit app/src/main/res/values/strings.xml and enter Google map key in the GOOGLE_MAP_KEY field.
  • Edit and change mApiUrl which is pointing to to your own private API URL.


  • Click on Info.plist, enter Google map key in the GoogleMapKey field.
  • In the same file, enter your own private API URL in the MessengerApiUrl field.

That’s it. Recompile both the apps and start using it!

You can now see any new user and group you create in the Mesibo console along with statistics.

Using different authentication mechanism

For the messenger, we have used phone-based authentication. It is just an example and we do not recommend or enforce any particular login method. You can replace it with any other authentication mechanism, for example, email, user-id, LDAP, RADIUS, OAuth2, Kerberos, SAML, etc. All you need to do is that you generate a mesibo user token using your secret App Token only after your user passed your authentication.

These are two places where you need to make changes:

  1. your own login screens so that your users can enter the required credentials, for example, email, user-id, or the password.

  2. Private APIs. You can change it to whatever authentication check your App does. For example, checking your own database for a valid user.

Conclusion of part five

In this part, we have learnt about hosting private APIs on your own infrastructure. In the next part, we will learn about how to host Mesibo real-time server on your own premise.

On to Part 6 >>

open, source, whatsapp, mesibo, ios, backend