Authentication overview

Authentication for Postmark's API is primarily handled through API keys, a common method for securing access to web services. These keys serve as unique identifiers and secret tokens that applications include with each request to verify their identity and authorization. Postmark distinguishes between two main types of API keys: Server API Tokens and Account API Tokens, each designed for specific access levels and use cases.

When an application sends a request to the Postmark API, it includes the relevant API key in the X-Postmark-Server-Token HTTP header for Server API Tokens or in the X-Postmark-Account-Token header for Account API Tokens. The Postmark API then validates this token against its records to ensure the request originates from an authorized source and has the necessary permissions to perform the requested action. All communication with the Postmark API occurs over HTTPS, ensuring that API keys and other sensitive data are encrypted during transit, protecting against eavesdropping and tampering. This aligns with industry standards for secure API communication, as detailed by organizations like the Internet Engineering Task Force's HTTP Authentication standards.

Choosing the correct API key type is crucial for maintaining a strong security posture. Server API Tokens are generally recommended for day-to-day transactional email sending and template management, as they are scoped to a specific server and limit potential damage if compromised. Account API Tokens, with their broader permissions, are typically reserved for administrative tasks that require access across multiple servers or account-level settings.

Supported authentication methods

Postmark primarily supports API key-based authentication for all interactions with its API. This method is widely adopted for its simplicity and effectiveness in managing access to web services. The platform offers two distinct types of API keys, each with specific permissions and intended uses:

  • Server API Tokens: These tokens are generated at the server level within your Postmark account. They grant access to send emails, manage templates, and retrieve statistics for a specific server. Server API Tokens are the recommended method for most application integrations, as they adhere to the principle of least privilege, limiting the scope of access to only what is necessary for a particular application or service.
  • Account API Tokens: These tokens provide broader access to your entire Postmark account. They allow for management of servers, domains, and other account-level settings, in addition to all actions permitted by Server API Tokens. Due to their extensive permissions, Account API Tokens should be handled with extreme care and used only for administrative tasks that explicitly require account-wide access.

While API keys are the primary method, Postmark's infrastructure also relies on standard web security protocols such as Transport Layer Security (TLS) to encrypt all data in transit. This ensures that the API keys themselves, along with email content and other sensitive information, are protected from interception during communication between your application and Postmark's servers.

Authentication methods summary

Method When to Use Security Level
Server API Token Sending transactional emails, managing templates, retrieving server-specific stats. Recommended for most application integrations. High (scoped to specific server, limited permissions)
Account API Token Managing servers, domains, users, and account-wide settings. For administrative tasks requiring broad access. Medium (broad permissions, requires careful handling)

Getting your credentials

To obtain your Postmark API credentials, you must access your Postmark account through the web interface. Both Server API Tokens and Account API Tokens are generated and managed within the Postmark Admin Panel.

  1. Log In: Navigate to the Postmark website and log in to your account.
  2. Access API Tokens:
    • For Server API Tokens: From the main dashboard, select the specific server you wish to manage. Within the server's settings, you will find an "API Tokens" section where you can generate new tokens or view existing ones. Each server has its own set of Server API Tokens.
    • For Account API Tokens: To access Account API Tokens, navigate to your account settings. This section typically contains options for managing account-level API access. Due to their sensitive nature, Account API Tokens are often displayed only once upon creation, similar to how Stripe API keys are handled, requiring you to copy and store them securely immediately.
  3. Generate and Store: When generating a new token, Postmark will display the unique API key. It is crucial to copy this key immediately and store it securely. Postmark does not store these keys in a retrievable format for security reasons, meaning if you lose a key, you will need to generate a new one.
  4. Revoke Tokens: For security purposes, if a token is compromised or no longer needed, you can revoke it from the Postmark Admin Panel, immediately disabling its access to your API.

It is a best practice to generate separate Server API Tokens for different applications or environments (e.g., development, staging, production) to further segment access and simplify credential management and rotation.

Authenticated request example

Authenticating a request to the Postmark API involves including your Server API Token in the X-Postmark-Server-Token HTTP header. The following example demonstrates how to send an email using the Postmark API with a Server API Token. This example uses a common curl command for clarity, but the same principle applies when using any of Postmark's official SDKs (Node, Python, Ruby, PHP, Java, C#, Go) or other HTTP client libraries.


curl "https://api.postmarkapp.com/email" \
  -X POST \
  -H "Accept: application/json" \
  -H "Content-Type: application/json" \
  -H "X-Postmark-Server-Token: YOUR_SERVER_API_TOKEN" \
  -d "{\"From\": \"[email protected]\", \"To\": \"[email protected]\", \"Subject\": \"Hello from Postmark\", \"HtmlBody\": \"<strong>Hello</strong> Postmark!\", \"TextBody\": \"Hello Postmark!\", \"MessageStream\": \"outbound\"}"

In this example:

  • YOUR_SERVER_API_TOKEN should be replaced with an actual Server API Token obtained from your Postmark account.
  • The -H "X-Postmark-Server-Token: YOUR_SERVER_API_TOKEN" line is where the authentication credential is provided.
  • The -d flag contains the JSON payload for the email, specifying sender, recipient, subject, and content.

When using an SDK, the authentication token is typically configured once when initializing the client library. For instance, in Node.js, you might set up the client like this:


const postmark = require("postmark");
const client = new postmark.ServerClient("YOUR_SERVER_API_TOKEN");

client.sendEmail({
    "From": "[email protected]",
    "To": "[email protected]",
    "Subject": "Hello from Node.js Postmark",
    "HtmlBody": "<strong>Hello</strong> Postmark from Node.js!"
}).then(response => {
    console.log("Email sent:", response);
}).catch(error => {
    console.error("Error sending email:", error);
});

Refer to the Postmark developer documentation for specific examples and library usage in different programming languages.

Security best practices

Securing your Postmark API keys and ensuring the integrity of your email sending operations is paramount. Adhering to these best practices can help mitigate risks associated with credential compromise:

  • Use Server API Tokens for most operations: Limit the use of Account API Tokens to only those administrative tasks that explicitly require account-wide permissions. For sending emails, managing templates, and retrieving statistics, always use a Server API Token, which has a more restricted scope.
  • Environment Variables or Secret Management: Never hardcode API keys directly into your application's source code. Instead, store them in environment variables or use a dedicated secret management service (e.g., AWS Secrets Manager, Google Secret Manager, Azure Key Vault, or HashiCorp Vault). This prevents keys from being exposed in version control systems and allows for easier rotation.
  • Regular Key Rotation: Periodically rotate your API keys. This practice minimizes the window of exposure if a key is compromised without your knowledge. The frequency of rotation depends on your organization's security policies and risk assessment.
  • Restrict IP Access (where possible): If your infrastructure allows, configure your network or firewall to restrict outbound API calls to Postmark's endpoints from whitelisted IP addresses only. While Postmark's API itself does not offer IP whitelisting for incoming requests, restricting your own outbound access adds an additional layer of security.
  • Monitor API Usage: Regularly review your Postmark account's usage logs and activity. Unusual spikes in email volume or unexpected API calls could indicate a compromise.
  • Secure Development Practices: Implement secure coding practices to prevent vulnerabilities like SQL injection or cross-site scripting (XSS) that could lead to API key exposure. Adhere to security guidelines recommended by organizations like OWASP Top Ten.
  • Principle of Least Privilege: Grant only the necessary permissions to applications and users. For instance, if a service only needs to send emails, provide it with a Server API Token dedicated to that server, rather than an Account API Token.
  • HTTPS Everywhere: Ensure all communications with the Postmark API are conducted over HTTPS (TLS). Postmark enforces HTTPS, but it's crucial to verify that your application clients are configured to use secure connections and validate SSL certificates.
  • Webhook Security: If you utilize Postmark webhooks for event notifications (e.g., bounces, opens), secure your webhook endpoints. Validate incoming webhook signatures to ensure requests originate from Postmark and have not been tampered with.