Skip to content
PostMTA Hosted
StatusSign inOpen panelRequest access
Open menu

Docs

Open in panel → /app · access

Access — API Keys & SMTP Credentials

The Access panel section produces two distinct secrets: an API key used for POST /v1/send, and a SMTP credential used by SMTP submission (AUTH PLAIN against apps/smtp).

API keys

Path Auth Body Result
GET /v1/panel/access viewer+ Lists api_keys_safe + smtp_credentials_safe views
POST /v1/panel/api-keys operator+ { name } Returns { key, prefix, hash } exactly once
DELETE /v1/panel/api-keys/:id admin+ Sets active=false

Storage: api_keys.hash carries a scrypt-style salted hash of the raw key (prefix is stored in clear for display). Re-showing the secret is impossible by design.

SMTP credentials

Path Auth Body Result
POST /v1/panel/smtp-credentials operator+ { username, password } { username, id } (raw password never returned)

SMTP credentials authenticate against apps/smtp via SMTP AUTH. Submission should use STARTTLS whenever possible (see docs/build/smtp.md).

One-time-secret UX

The panel Access section shows the key once after creation in a “one-time secret” panel with a copy button. Operators must capture it before navigating away; the secret is never reconstructed server-side.

Last verified: Sat Jul 11 2026 17:00:00 GMT-0700 (Pacific Daylight Time). Cross-link maintained byscripts/check-docs-drift.sh (M54).

← All docs