Authentication
How authentication works across the Management API and Send API.
| API | Header | Token belongs to | Use it for |
|---|---|---|---|
| Management API | X-Api-Token: <MANAGEMENT_API_TOKEN> | A Qboxmail user | Managing Hosting and Delivery resources |
| Send API | Authorization: Bearer <SEND_API_TOKEN> | A Delivery account | Sending email with /v1/send or /v1/send/bulk |
Before using production data, you can request access to the Qboxmail sandbox environment. Sandbox Management API calls use the https://sandbox.qboxmail.com host and do not affect production resources.
Management API authentication
Use X-Api-Token when calling Management API endpoints under /api/*.
curl "https://api.qboxmail.com/api/domains" \
-H "X-Api-Token: <MANAGEMENT_API_TOKEN>"Your token decides what you can see and change. Customers, managers, team members, email accounts, and postmasters may have different permissions and access to different resources.
Team members must have the required API permissions for the operation they call.
Send API authentication
Use a bearer token when calling Send API endpoints under /v1/*.
A Send API bearer token is created for a specific Delivery account. If you do not have a Delivery account and a configured sending domain yet, set those up first with the Management API or from the panel.
curl -X POST "https://api.qboxmail.com/v1/send" \
-H "Authorization: Bearer <SEND_API_TOKEN>" \
-H "Content-Type: application/json" \
-d '{
"messages": [
{
"from": "sender@example.com",
"to": ["john@example.com"],
"subject": "Hello",
"text_body": "Hello from Qboxmail Delivery"
}
]
}'A Send API token is tied to one Delivery account. The account controls the sending plan, quotas, domain assignments, and suppression-list behavior. The Send API uses that account; it does not create it.
Create a Send API token from the panel
For now, create Send API tokens from the Qboxmail panel.
- Open the Qboxmail panel.
- Go to Delivery or Email Delivery.
- Open Accounts.
- Select the Delivery account that will send messages.
- Open the API tokens section.
- Create a new token and give it a clear label, such as
Production apporCRM integration. - Copy the full token immediately.
- Optional: restrict the token to trusted IP addresses or CIDR ranges.
The full Send API token is shown only when it is created. Later, the panel shows only a masked preview. If you lose the token, revoke it and create a new one.
IP allow-lists
Send API tokens can be restricted by IP address. Delivery accounts can also have their own IP allow-list. Both checks apply.
- If no restriction is configured, the token can be used from any IP.
- If a token allow-list is configured, requests must come from one of those IPs or CIDR ranges.
- If the Delivery account has an allow-list, requests must also match the account policy.
Token security
- Store tokens in a secret manager, not in source code.
- Use a separate Send API token per application or environment.
- Restrict Send API tokens by IP when possible.
- Rotate tokens when people leave a project or an integration is retired.
- Revoke unused tokens.