API keys
Create keys in the dashboard at Settings → API Keys. Each key has scopes (any combination of send, read, manage) and an optional IP allowlist.
We store SHA-256 hashes of keys, not the raw value. Keys are visible only once at creation time.
Authorization: Bearer $INBOX_API_KEYScopes
send— POST to /api/v1/mail/send and /api/v1/mail/validate.read— GET on /api/v1/messages, /api/v1/stats, /api/v1/events, /api/v1/suppressions.manage— write access to domains, templates, automations, suppressions.
IP allowlist
Restrict where a key can be used from. Supports IPv4, IPv6, and CIDR. Requests from outside the allowlist return 403 with no further details, even if the key is otherwise valid.
SSO (Enterprise)
SAML 2.0 and OIDC supported. SCIM provisioning available for user lifecycle. Contact sales for provisioning support.
Rotation
Rotate keys in-place: create a new key, deploy it, then delete the old key. Audit log captures both events.
