API Keys API

Manage API keys for authenticating requests.

Every request needs a bearer token and goes to a path under https://api.anypost.com/v1. See API conventions for the shared request, error, and pagination rules.

List API keys

GET /v1/api-keys

Returns the authenticated team's API keys, newest-first, with cursor pagination.

Parameters

limitintegerin query[optional]

Number of items to return.

afterstringin query[optional]

Opaque cursor from a previous response's next_cursor. Do not parse.

Example request

curl https://api.anypost.com/v1/api-keys \
  -H "Authorization: Bearer $ANYPOST_API_KEY"

Response body

On success (200), the response body is:

dataarray of ApiKey

has_moreboolean

next_cursorstring

May be null.

{
  "data": [
    {
      "id": "key_550e8400-e29b-41d4-a716-446655440000",
      "name": "Production server",
      "key_prefix": "ap_AbCdEf12Kx",
      "permissions": "full",
      "allowed_domains": [
        "string"
      ],
      "allowed_ips": [
        "string"
      ],
      "last_used_at": "string",
      "created_at": "string"
    }
  ],
  "has_more": true,
  "next_cursor": "string"
}

Responses

Create an API key

POST /v1/api-keys

Issues a new API key for the authenticated team. The full plaintext secret is returned only in the response to this request — store it securely; it cannot be retrieved later.

Request body

Send as JSON with Content-Type: application/json.

namestring[required]

permissionsstring[required]

One of: full, send_only.

allowed_domainsarray of string[optional]

May be null.

allowed_ipsarray of string[optional]

May be null.

Example request

curl https://api.anypost.com/v1/api-keys \
  -X POST \
  -H "Authorization: Bearer $ANYPOST_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "string",
    "permissions": "full"
  }'

Response body

On success (201), the response body is:

idstring

namestring

key_prefixstring

The first 12 characters of the key, shown for identification.

permissionsstring

One of: full, send_only.

allowed_domainsarray of string

Domains this key may send from. Null means all verified domains.

May be null.

allowed_ipsarray of string

IP addresses or CIDR blocks allowed to use this key. Null means all IPs.

May be null.

last_used_atstring (date-time)

May be null.

created_atstring (date-time)

keystring

The full API key. Returned only once at creation. Store it securely.

{
  "id": "key_550e8400-e29b-41d4-a716-446655440000",
  "name": "Production server",
  "key_prefix": "ap_AbCdEf12Kx",
  "permissions": "full",
  "allowed_domains": [
    "string"
  ],
  "allowed_ips": [
    "string"
  ],
  "last_used_at": "string",
  "created_at": "string",
  "key": "ap_AbCdEf12KxLmNoPq..."
}

Responses

Retrieve an API key

GET /v1/api-keys/{id}

Returns metadata for a single API key. The full secret is never returned here.

Parameters

idstringin path[required]

Example request

curl https://api.anypost.com/v1/api-keys/key_550e8400-e29b-41d4-a716-446655440000 \
  -H "Authorization: Bearer $ANYPOST_API_KEY"

Response body

On success (200), the response body is:

idstring

namestring

key_prefixstring

The first 12 characters of the key, shown for identification.

permissionsstring

One of: full, send_only.

allowed_domainsarray of string

Domains this key may send from. Null means all verified domains.

May be null.

allowed_ipsarray of string

IP addresses or CIDR blocks allowed to use this key. Null means all IPs.

May be null.

last_used_atstring (date-time)

May be null.

created_atstring (date-time)

{
  "id": "key_550e8400-e29b-41d4-a716-446655440000",
  "name": "Production server",
  "key_prefix": "ap_AbCdEf12Kx",
  "permissions": "full",
  "allowed_domains": [
    "string"
  ],
  "allowed_ips": [
    "string"
  ],
  "last_used_at": "string",
  "created_at": "string"
}

Responses

Update an API key

PATCH /v1/api-keys/{id}

Updates an existing API key's name, permissions, and allowed domain / IP restrictions. The plaintext secret is intentionally not rotated here — rotation will be a separate flow. Pass an empty array (or omit) for allowed_domains / allowed_ips to lift the restriction.

Changes typically take effect on the next request, but updated permissions and restrictions may take up to 5 minutes to propagate due to gateway caching.

Parameters

idstringin path[required]

Request body

Send as JSON with Content-Type: application/json.

namestring[required]

permissionsstring[required]

One of: full, send_only.

allowed_domainsarray of string[optional]

May be null.

allowed_ipsarray of string[optional]

May be null.

Example request

curl https://api.anypost.com/v1/api-keys/key_550e8400-e29b-41d4-a716-446655440000 \
  -X PATCH \
  -H "Authorization: Bearer $ANYPOST_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "string",
    "permissions": "full"
  }'

Response body

On success (200), the response body is:

idstring

namestring

key_prefixstring

The first 12 characters of the key, shown for identification.

permissionsstring

One of: full, send_only.

allowed_domainsarray of string

Domains this key may send from. Null means all verified domains.

May be null.

allowed_ipsarray of string

IP addresses or CIDR blocks allowed to use this key. Null means all IPs.

May be null.

last_used_atstring (date-time)

May be null.

created_atstring (date-time)

{
  "id": "key_550e8400-e29b-41d4-a716-446655440000",
  "name": "Production server",
  "key_prefix": "ap_AbCdEf12Kx",
  "permissions": "full",
  "allowed_domains": [
    "string"
  ],
  "allowed_ips": [
    "string"
  ],
  "last_used_at": "string",
  "created_at": "string"
}

Responses

Delete an API key

DELETE /v1/api-keys/{id}

Permanently deletes the key. Requests using a deleted key may continue to authenticate for up to 5 minutes due to gateway caching.

Parameters

idstringin path[required]

Example request

curl https://api.anypost.com/v1/api-keys/key_550e8400-e29b-41d4-a716-446655440000 \
  -X DELETE \
  -H "Authorization: Bearer $ANYPOST_API_KEY"

Responses