Docs
Access — API Keys & SMTP Credentials
The Access panel section produces two distinct secrets: an API key used
for POST /v1/send, and a SMTP credential used by SMTP submission
(AUTH PLAIN against apps/smtp).
API keys
| Path | Auth | Body | Result |
|---|---|---|---|
GET /v1/panel/access |
viewer+ | — | Lists api_keys_safe + smtp_credentials_safe views |
POST /v1/panel/api-keys |
operator+ | { name } |
Returns { key, prefix, hash } exactly once |
DELETE /v1/panel/api-keys/:id |
admin+ | — | Sets active=false |
Storage: api_keys.hash carries a scrypt-style salted hash of the raw key
(prefix is stored in clear for display). Re-showing the secret is impossible
by design.
SMTP credentials
| Path | Auth | Body | Result |
|---|---|---|---|
POST /v1/panel/smtp-credentials |
operator+ | { username, password } |
{ username, id } (raw password never returned) |
SMTP credentials authenticate against apps/smtp via SMTP AUTH. Submission
should use STARTTLS whenever possible (see docs/build/smtp.md).
One-time-secret UX
The panel Access section shows the key once after creation in a
“one-time secret” panel with a copy button. Operators must capture it before
navigating away; the secret is never reconstructed server-side.
Related
- docs/build/smtp.md — SMTP submission over the STARTTLS proxy.
- docs/build/credits.md — every send consumes one credit per recipient.
Last verified: Sat Jul 11 2026 17:00:00 GMT-0700 (Pacific Daylight Time). Cross-link maintained byscripts/check-docs-drift.sh (M54).