API Keys
Create and manage API keys for programmatic access to the Taifa Mail API.
API keys let you authenticate with the Taifa Mail API from your backend, scripts, or CI/CD pipelines without using browser-based login.
There is no separate developer onboarding wizard. An API key can be created as soon as you have an account, but sending only works once your institution's domain is ICTA-approved, verified, and has an allocated mailbox to send from. See Request domains & mailboxes from ICTA.
Creating an API key
- Go to Developer → API Keys.
- Click Create API Key.
- Give the key a descriptive name, for example "Service portal production" or "ICT staging tests".
- Choose the permission scopes the key should carry (see Permissions below). New keys default to the
sendscope. - Click Create.
- Copy the key immediately.
The full API key is shown only once at creation time. If you lose it, you must delete the key and create a new one. There is no way to retrieve an existing key.
Key format
All Taifa Mail API keys use the prefix tfm_k_ followed by a random string:
The prefix makes keys easy to identify in logs and secret scanners. Only a short prefix of each key is stored on our side; the rest is hashed, so the full key cannot be recovered after creation.
Using an API key
Pass the key in the Authorization header as a Bearer token:
Python example
Node.js example
Permissions
Every API key carries a list of permission scopes, set when the key is created. A key only grants the scopes it was issued with - it is not a full-access credential. New keys default to the send scope.
Each key's scopes are shown next to it in Developer → API Keys, along with its prefix, creation date, and when it was last used. Scope a key down to what the integration actually needs, and use separate keys for separate systems so you can revoke one without affecting the rest.
Revoking a key
- Go to Developer → API Keys.
- Click Delete next to the key you want to revoke.
- Confirm the deletion.
Revocation takes effect immediately - the key is deactivated and any request using it is rejected. Revoked keys are removed from the list and cannot be reactivated.
Rotate your API keys periodically. If you suspect a key has been compromised, revoke it immediately and create a new one.
Security best practices
- Never commit API keys to version control. Use environment variables or a secrets manager.
- Use different keys for production and staging environments.
- Delete keys that are no longer in use.
- Monitor your API usage in Developer → API Keys for unexpected activity.