Skip to content
Mailgun Email API
/
User Manual
/
API Key Management and Security
/
Managing Role-Based Access Control API Keys
Last updated

Managing Role-Based Access Control (RBAC) API Keys

Roles Based Access Control (RBAC) API Keys empower admin users to generate API keys utilizing predefined roles that dictate the access level of each key.

Info
  • Assigned roles cannot be updated. You will need to create a new key. Be sure to save the key in a safe place, as you will only be able to see it once when you create it.
  • Role-Based Access Control is only available on specific plans. See our Pricing page for more details https://www.mailgun.com/pricing/

API Permissions

During the API key creation process, you will be able to select a predefined role. This role assigns certain access levels to various public API endpoints. Read and write privileges are based on the role assigned to the API key.

Permission TypeDescription
No AccessWill have no access to certain public API endpoints.
Read:Allows the API key to access GET endpoints within the selected permission.
Read/Write:Allows the API Key to access GET,PATCH,PUT,DELETE, and POST endpoints within the selected permission.

RBAC API Key Permissions Based on Role

The assigned roles below determines the API key’s permissions (or access and rights) per public API endpoint.

EndpointsAdminAnalystDeveloperSupport
DomainsRead/WriteReadRead/WriteRead
MessagesRead/WriteReadRead/WriteRead
WebhooksRead/WriteReadRead/WriteRead
LogsRead/WriteReadRead/WriteRead
TagsRead/WriteReadRead/WriteRead
MetricsRead/WriteReadRead/WriteRead
Unsubscribes (suppressions)Read/WriteNo AccessRead/WriteRead/Write
Complaints (suppressions)Read/WriteNo AccessRead/WriteRead/Write
Bounces (suppressions)Read/WriteNo AccessRead/WriteRead/Write
Whitelist (suppressions)Read/WriteReadRead/WriteRead/Write
RoutesRead/WriteReadRead/WriteRead
Mailing ListsRead/WriteReadRead/WriteRead/Write
TemplatesRead/WriteReadRead/WriteRead
IPsRead/WriteReadRead/WriteRead
IP PoolsRead/WriteReadRead/WriteRead
Sub-AccountsRead/WriteReadRead/WriteRead
ValidationsRead/WriteReadRead/WriteRead
Secure TrackingRead/WriteReadRead/WriteRead
Custom Message LimitRead/WriteReadReadRead
CredentialsRead/WriteNo AccessReadNo Access
KeysRead/WriteNo AccessReadNo Access
IP AllowlistRead/WriteReadRead/WriteRead
Account ManagementRead/WriteReadRead/WriteRead
Users on an accountReadNo AccessNo AccessNo Access
Another user's details on an accountReadNo AccessNo AccessNo Access
Own user detailsReadReadReadRead

Custom Message Limit

The Custom Message Limit imposes a hard limit on how many messages your account can send during a calendar month. The primary account holder will receive an e-mail notification when 50% and 75% of the limit has been crossed. After the limit has been reached, the account will be disabled until the beginning of the following month, or until it has been re-enabled in the dashboard or by modifying the message limit via API.

Sending limits for Subaccounts

Primary account admins, developers, and billing users can set message sending limits for each subaccount.

This can be done by going to Set a custom sending limit

Previous page
Next page