Comparing email previews providers? Discover our new pricing options - chat to sales or book a demo to unlock your savings now
Mailosaur Ltd Mailosaur logo
Mailosaur LtdMailosaur logo
Mailosaur Ltd Mailosaur logo
Managing your accountAPI keys

API keys

API keys authenticate your requests to the Mailosaur API. You need an API key to use the API or any of the official Mailosaur SDKs.

Prerequisites

  • You must be an Account Administrator to manage API keys.

Types of API keys

Mailosaur supports two types of API keys:

Type Scope Use case
Standard Account-wide Full access to all inboxes and API operations, including creating and deleting inboxes
Server-restricted Single inbox Access limited to one specific inbox; cannot create or delete inboxes

Standard keys

A standard API key grants access to all inboxes in your account and supports all API operations. Use standard keys when you need broad access across your account — for example, in a CI/CD pipeline that manages multiple inboxes.

Server-restricted keys

A server-restricted API key is scoped to a single inbox. It can only be used to perform email and SMS functions and cannot create or delete inboxes. Use server-restricted keys when you want to limit access — for example, giving a specific integration access to only one inbox.

In the API, inboxes are referred to as "servers". The term "server-restricted" reflects this API-level naming.

Key limits and expiry

  • There is no limit on the number of API keys you can create.
  • API keys do not expire. They remain active until you delete them.
  • API keys cannot be renamed. To change a key's name, delete it and create a new one.

Permissions

Only Account Administrators can create, reveal, and delete API keys.

Create a standard API key

  1. Navigate to the API Keys section in the dashboard.
  2. Click Create standard key.
  3. Enter a name for the key.
  4. Click Create.

The new API key is displayed. Click Reveal key to see its value, then copy and store it securely.

Create a server-restricted API key

  1. Navigate to the API Keys section in the dashboard.
  2. Click Create server-restricted key.
  3. Enter a name for the key.
  4. Select the inbox from the dropdown.
  5. Click Create.

The new API key is displayed. Click Reveal key to see its value, then copy and store it securely.

Reveal an API key

Use this when you need to copy a key value again.

  1. Navigate to the API Keys section in the dashboard.
  2. Find the API key you want to reveal.
  3. Click Reveal key (or the eye icon) next to the key.
  4. Copy the key and store it securely.

Delete an API key

Before deleting a key, confirm that no active integrations depend on it and consider creating a replacement key to avoid downtime.

  1. Navigate to the API Keys section in the dashboard.
  2. Find the API key you want to delete.
  3. Open the Actions dropdown next to the key and select Delete.
  4. In the confirmation dialog, type the name of the API key.
  5. Click Delete to confirm.

The key is immediately revoked. Any API requests using this key will receive an authentication error.

This action cannot be undone. A deleted key cannot be restored.

API keys cannot be deleted via the API. You must use the dashboard.

Security best practices

  • Keep keys secret. Do not commit API keys to version control or share them in plain text.
  • Use server-restricted keys where possible to limit the blast radius if a key is compromised.
  • Rotate keys regularly. Delete old keys and create new ones periodically.
  • Delete unused keys to reduce your attack surface.