API overview

Everything is JSON over HTTPS. The full contract (all 106 operations) lives in the OpenAPI specification; these pages cover the concepts and the calls you will actually use.

Prefer it interactive? Browse all endpoints, copy snippets and send live requests.

Open the API explorer →

Authentication

SurfaceBase pathAuth header
Messaging: send, read, templates, stats/api/v2/serverX-Server-API-Key
Management: orgs, servers, domains, …/api/v2/adminX-Admin-API-Key or Authorization: Bearer
Accounts: login, 2FA, SSO/api/v2/authAuthorization: Bearer

Application integrations only need a server API key (dashboard: Server → Credentials). Admin API keys are machine keys with full management access. Create them with camelmailer make-admin-api-key or in the dashboard. Bearer tokens come from loginand are scoped by the user's role.

The response envelope

{ "status": "success", "time": 0.004, "data": {} }
{ "status": "error",   "time": 0.004, "error": { "code": "ValidationError", "message": "…" } }

Branch on error.code, not on prose. The codes are stable: Unauthorized, Forbidden, NotFound, ValidationError, ParameterMissing, plus auth-specific ones like InvalidCredentials, TOTPRequired and AccountLocked.

Pagination

List endpoints take page and per_page (capped at 100) and return totals alongside the items.

Permissions model

RBAC roles per organization: viewer < member < admin < owner, plus global admins. Non-members receive 404 (not 403) for foreign organizations. The API does not leak which orgs exist. The last owner of an organization cannot be demoted or removed.

Import openapi.yaml into Postman, Insomnia or your codegen of choice. It is the authoritative contract and always matches the deployed version.