Email API keys provide secure access to email services and data. They enable access to our APIs and allow integrating email functionalities into applications. At Mailgun, we prioritize security through granular access controls and role based authentication, ensuring that each API key has precisely the permissions it needs and nothing more. Proper management of these keys ensures smooth operation, protects against unauthorized access, and maintains the security of sensitive information.
Mailgun provides two types of API keys for authenticating against the API:
When you sign up for Mailgun, you can generate one or more API keys depending on your plan which allow you to perform all CRUD operations via our various API endpoints and for any of your sending domains. These keys have complete access to your account, so they should be stored securely and never shared publicly. With most plans, you can add additional API keys with a specific role via Role Based Access Control (RBAC).
To view and create your account API key(s):
- Navigate to the Mailgun Dashboard
- Select Account Settings on the right side
- On the API keys page click the "Create key" button and fill in the form fields in the modal as needed.
- When ready, click the modal's "Create Key" button and record the generated key secret for safekeeping.
Your API key(s) provides full access to your Mailgun account. Store it securely using environment variables or a secrets management system. Never commit this key to version control or share it in public forums.
Domain Sending Keys are API keys that only allow sending messages via a POST call on /messages and /messages.mime endpoints for the specific domain in which they are created. These keys provide a secure way to enable sending functionality without exposing your full account access. This is ideal for production applications that only need to send email.
To create a sending API key:
- Navigate to the Mailgun Dashboard
- Select the Sending tab on the left side of the Mailgun dashboard
- Select the Domains tab and choose the domain for which you want to add a sending key
- Navigate to the Sending keys tab
- Click Add Sending Key
Domain Sending Keys are recommended for production applications as they limit potential security exposure by restricting access to only the sending functionality.
Role Based Access Control (RBAC) API Keys empower admin users to generate API keys using predefined roles that dictate the access level of each key. This feature allows you to implement the principle of least privilege, ensuring team members and applications have only the permissions they need.
Role Based Access Control is available on Enterprise and certain Business plans. See our Pricing page for more details about plan features.
Assigned roles cannot be updated after creation. If you need to change a key's permissions, you must create a new key with the desired role and revoke the old one. Be sure to save the key in a secure location immediately upon creation, as you will only be able to view it once.
Each role is designed to align with common organizational functions and access requirements:
Admin: Full administrative access across all endpoints. Ideal for account owners and senior technical leadership who need complete control over the Mailgun account.
Analyst: Read only access to data and metrics. Perfect for data analysts, business intelligence teams, and stakeholders who need to review email performance without making changes.
Developer: Full access to technical endpoints needed for building and maintaining email integrations. Designed for engineering teams who implement and manage email functionality in applications.
Support: Read access to most endpoints with write access to specific management endpoints. Tailored for customer support teams who need to investigate issues and manage email deliverability without broader administrative privileges.
During the API key creation process, you select a predefined role that assigns specific access levels to various public API endpoints. Understanding these permission types helps you choose the appropriate role for each use case.
| Permission Type | Description |
|---|---|
| No Access | The API key cannot access these endpoints. Any attempt to call these endpoints will return an authentication error. |
| Read | Allows the API key to access GET endpoints within the selected permission category. Ideal for monitoring, reporting, and auditing purposes. |
| Read/Write | Allows the API key to access GET, PATCH, PUT, DELETE, and POST endpoints within the selected permission category. Provides full operational control within that category. |
The table below details each role's specific permissions across all public API endpoints. Use this reference when determining which role best fits your security and operational requirements.
| Endpoints | Admin | Analyst | Developer | Support |
|---|---|---|---|---|
| Domains | Read/Write | Read | Read/Write | Read |
| Messages | Read/Write | Read | Read/Write | Read |
| Webhooks | Read/Write | Read | Read/Write | Read |
| Logs | Read/Write | Read | Read/Write | Read |
| Tags | Read/Write | Read | Read/Write | Read |
| Metrics | Read/Write | Read | Read/Write | Read |
| Unsubscribes (suppressions) | Read/Write | No Access | Read/Write | Read/Write |
| Complaints (suppressions) | Read/Write | No Access | Read/Write | Read/Write |
| Bounces (suppressions) | Read/Write | No Access | Read/Write | Read/Write |
| Whitelist (suppressions) | Read/Write | Read | Read/Write | Read/Write |
| Routes | Read/Write | Read | Read/Write | Read |
| Mailing Lists | Read/Write | Read | Read/Write | Read/Write |
| Templates | Read/Write | Read | Read/Write | Read/Write |
| IPs | Read/Write | Read | Read/Write | Read |
| IP Pools | Read/Write | Read | Read/Write | Read |
| Sub-Accounts | Read/Write | Read | Read/Write | Read |
| Validations | Read/Write | Read | Read/Write | Read |
| Secure Tracking | Read/Write | Read | Read/Write | Read |
| Custom Message Limit | Read/Write | Read | Read | Read |
| Credentials | Read/Write | No Access | Read | No Access |
| Keys | Read/Write | No Access | Read | No Access |
| IP Allowlist | Read/Write | Read | Read/Write | Read |
| Account Management | Read/Write | Read | Read/Write | Read |
| Users on an account | Read | No Access | No Access | No Access |
| Another user's details on an account | Read | No Access | No Access | No Access |
| Own user details | Read | Read | Read | Read |
The Custom Message Limit feature imposes a hard limit on how many messages your account can send during a calendar month. This is a protective measure that helps prevent unexpected overages and provides budget control for high volume senders.
When message limits are enabled:
- The primary account holder receives an email notification at 50% of the limit
- A second notification is sent at 75% of the limit
- After reaching 100% of the limit, the account will be temporarily disabled until the beginning of the following month
You can re-enable your account before the next month begins by either adjusting the message limit via the dashboard or through the API, or by upgrading your plan.
Primary account admins, developers, and billing users can set individual message sending limits for each subaccount. This provides granular control over resource allocation across your organization or client base. To configure subaccount sending limits use the Set a custom sending limit API endpoint
Subaccount limits are particularly useful for:
- Agencies managing multiple client accounts
- Organizations with multiple departments or business units
- Platforms providing email services to end users
Never expose API keys in client side code. API keys should only be used in server side applications where they cannot be accessed by end users. Store keys using:
- Environment variables in production environments
- Secrets management systems like AWS Secrets Manager, HashiCorp Vault, or Azure Key Vault
- Encrypted configuration files with restricted access permissions
Implement key rotation policies. Regularly rotate your API keys to minimize the risk of compromised credentials. We recommend rotating keys at least quarterly, or immediately if you suspect a key has been exposed.
Use the most restrictive role possible. Always assign the minimum permissions required for each use case. If an application only needs to send email, use a Domain Sending Key rather than a primary account key.
Monitor your API key usage regularly through the Mailgun dashboard. Watch for:
- Unexpected spikes in API calls that might indicate compromised credentials
- Failed authentication attempts
- API calls from unfamiliar IP addresses or geographic regions
If you suspect an API key has been compromised:
- Immediately revoke the compromised key in your Mailgun dashboard
- Generate a new key with the appropriate role
- Update all applications and services using the old key
- Review your account activity logs for unauthorized usage
- Consider implementing IP allowlisting for additional security
For enhanced security, configure IP allowlisting to restrict API access to specific IP addresses or ranges. This adds an additional layer of protection by ensuring that even if a key is compromised, it cannot be used from unauthorized locations.