Authentication

The Postject API uses API keys to authenticate requests. You can view and manage your active API keys from the Settings page of your dashboard.

Using the API Key

Authentication to the API is performed via HTTP Bearer Auth. You must provide your API key in the Authorization header for all requests.

Authorization: Bearer pt_live_xxxxxxxxxxxxxxxxxxxx

API Key Management

Postject supports multiple active API keys per account, allowing you to rotate keys without downtime and scope keys to different applications or environments.

Creating Additional Keys

POST /v1/auth/api-keys
Authorization: Bearer <your_jwt_token>
Content-Type: application/json

{
  "name": "Production API",
  "expiresInDays": 365
}

Each key can have an optional name and expiration date. You can create up to 10 active keys at once. Expired keys are automatically deactivated and cannot be used.

Listing Active Keys

GET /v1/auth/api-keys
Authorization: Bearer <your_jwt_token>

Rotating Keys

To rotate an API key without downtime:

1. Create a new API key via the dashboard or API
2. Update your application to use the new key
3. Verify the new key works in production
4. Revoke the old key

Revoking Keys

DELETE /v1/auth/api-keys/:keyId
Authorization: Bearer <your_jwt_token>

Revoked keys are immediately deactivated and cannot be reactivated. All requests using a revoked key will return a 401 Unauthorized error.

Sandbox & Production Mode

All new accounts start in sandbox mode. In sandbox mode your API key and server tokens are fully functional , emails are processed and delivered , but delivery is restricted to addresses you have explicitly added to your sandbox whitelist in the dashboard under Account → Sandbox Emails.

This lets you verify your full integration (real SMTP delivery, webhooks, event tracking) against your own inboxes before exposing your domain to the wider internet.