Concepts

Authentication

How authentication works across the Management API and Send API.

APIHeaderToken belongs toUse it for
Management APIX-Api-Token: <MANAGEMENT_API_TOKEN>A Qboxmail userManaging Hosting and Delivery resources
Send APIAuthorization: Bearer <SEND_API_TOKEN>A Delivery accountSending email with /v1/send or /v1/send/bulk
Test with the sandbox first

Before using production data, you can request access to the Qboxmail sandbox environment. Sandbox Management API calls use the https://sandbox.qboxmail.com host and do not affect production resources.

Management API authentication

Use X-Api-Token when calling Management API endpoints under /api/*.

curl "https://api.qboxmail.com/api/domains" \
  -H "X-Api-Token: <MANAGEMENT_API_TOKEN>"

Your token decides what you can see and change. Customers, managers, team members, email accounts, and postmasters may have different permissions and access to different resources.

Team members must have the required API permissions for the operation they call.

Send API authentication

Use a bearer token when calling Send API endpoints under /v1/*.

Set up Delivery first

A Send API bearer token is created for a specific Delivery account. If you do not have a Delivery account and a configured sending domain yet, set those up first with the Management API or from the panel.

curl -X POST "https://api.qboxmail.com/v1/send" \
  -H "Authorization: Bearer <SEND_API_TOKEN>" \
  -H "Content-Type: application/json" \
  -d '{
    "messages": [
      {
        "from": "sender@example.com",
        "to": ["john@example.com"],
        "subject": "Hello",
        "text_body": "Hello from Qboxmail Delivery"
      }
    ]
  }'

A Send API token is tied to one Delivery account. The account controls the sending plan, quotas, domain assignments, and suppression-list behavior. The Send API uses that account; it does not create it.

Create a Send API token from the panel

For now, create Send API tokens from the Qboxmail panel.

  1. Open the Qboxmail panel.
  2. Go to Delivery or Email Delivery.
  3. Open Accounts.
  4. Select the Delivery account that will send messages.
  5. Open the API tokens section.
  6. Create a new token and give it a clear label, such as Production app or CRM integration.
  7. Copy the full token immediately.
  8. Optional: restrict the token to trusted IP addresses or CIDR ranges.
Copy Send API tokens immediately

The full Send API token is shown only when it is created. Later, the panel shows only a masked preview. If you lose the token, revoke it and create a new one.

IP allow-lists

Send API tokens can be restricted by IP address. Delivery accounts can also have their own IP allow-list. Both checks apply.

  • If no restriction is configured, the token can be used from any IP.
  • If a token allow-list is configured, requests must come from one of those IPs or CIDR ranges.
  • If the Delivery account has an allow-list, requests must also match the account policy.

Token security

  • Store tokens in a secret manager, not in source code.
  • Use a separate Send API token per application or environment.
  • Restrict Send API tokens by IP when possible.
  • Rotate tokens when people leave a project or an integration is retired.
  • Revoke unused tokens.

On this page