API Keys
Create and manage API keys for programmatic access to the Taifa Mail API.
API keys let you authenticate with the Taifa Mail API from your backend, scripts, or CI/CD pipelines without using browser-based login.
Creating an API key
- Go to Settings → API Keys.
- Click Create API Key.
- Give the key a descriptive name (e.g. "Production backend", "Staging tests").
- Choose the permission scopes the key should carry (see Permissions below). New keys default to the
sendscope. - Click Create.
- Copy the key immediately.
The full API key is shown only once at creation time. If you lose it, you must delete the key and create a new one. There is no way to retrieve an existing key.
The number of active keys you can hold depends on your plan. When you reach the limit, delete an unused key before creating another.
Key format
All Taifa Mail API keys use the prefix tfm_k_ followed by a random string:
The prefix makes keys easy to identify in logs and secret scanners. Only a short prefix of each key is stored on our side; the rest is hashed, so the full key cannot be recovered after creation.
Using an API key
Pass the key in the Authorization header as a Bearer token:
Python example
Node.js example
Permissions
Every API key carries a list of permission scopes, set when the key is created. A key only grants the scopes it was issued with - it is not a full-access credential. New keys default to the send scope.
Each key's scopes are shown next to it in Settings → API Keys, along with its prefix, creation date, and when it was last used. Scope a key down to what the integration actually needs, and use separate keys for separate systems so you can revoke one without affecting the rest.
Revoking a key
- Go to Settings → API Keys.
- Click Delete next to the key you want to revoke.
- Confirm the deletion.
Revocation takes effect immediately - the key is deactivated and any request using it is rejected. Revoked keys are removed from the list and cannot be reactivated.
Rotate your API keys periodically. If you suspect a key has been compromised, revoke it immediately and create a new one.
Security best practices
- Never commit API keys to version control. Use environment variables or a secrets manager.
- Use different keys for production and staging environments.
- Delete keys that are no longer in use.
- Monitor your API usage in Settings → API Keys for unexpected activity.