API Keys
API keys authenticate requests to Mailtarget APIs. Treat each key as a production credential, even when it is used only in a development environment.
Header format
Send the key as a bearer token.
Authorization: Bearer <api_key>
Do not send API keys from browser code or mobile apps. Mailtarget API usage should run through a server you control.
Key lifecycle
| Action | Generated operation |
|---|---|
| List keys | GET /v1/api-key |
| Create key | POST /v1/api-key |
| Read one key | GET /v1/api-key/:id |
| Update key | PUT /v1/api-key/:id |
| Delete key | DELETE /v1/api-key/:id |
Scope selection
Create separate keys for separate workloads:
- Sending services need Send via API or Send via SMTP.
- Reporting jobs need read access to analytics and activity logs.
- Template automation needs template access but does not need sending permission unless it also submits messages.
- Internal admin tools should use a different key from production sending services.
Use IP allowlisting for production keys when your sending service has stable egress IPs.
Rotation pattern
- Create a replacement key with the same scopes and allowlist.
- Deploy the replacement key alongside the current key.
- Verify traffic with the replacement key.
- Revoke the old key.
Never delete the old key before the new key has produced successful traffic.