API overview
Everything is JSON over HTTPS. The full contract (all 106 operations) lives in the OpenAPI specification; these pages cover the concepts and the calls you will actually use.
Prefer it interactive? Browse all endpoints, copy snippets and send live requests.
Open the API explorer →Authentication
| Surface | Base path | Auth header |
|---|---|---|
| Messaging: send, read, templates, stats | /api/v2/server | X-Server-API-Key |
| Management: orgs, servers, domains, … | /api/v2/admin | X-Admin-API-Key or Authorization: Bearer |
| Accounts: login, 2FA, SSO | /api/v2/auth | Authorization: Bearer |
Application integrations only need a server API key (dashboard: Server → Credentials). Admin API keys are machine keys with full management access. Create them with camelmailer make-admin-api-key or in the dashboard. Bearer tokens come from loginand are scoped by the user's role.
The response envelope
{ "status": "success", "time": 0.004, "data": { … } }
{ "status": "error", "time": 0.004, "error": { "code": "ValidationError", "message": "…" } }Branch on error.code, not on prose. The codes are stable: Unauthorized, Forbidden, NotFound, ValidationError, ParameterMissing, plus auth-specific ones like InvalidCredentials, TOTPRequired and AccountLocked.
Pagination
List endpoints take page and per_page (capped at 100) and return totals alongside the items.
Permissions model
RBAC roles per organization: viewer < member < admin < owner, plus global admins. Non-members receive 404 (not 403) for foreign organizations. The API does not leak which orgs exist. The last owner of an organization cannot be demoted or removed.
