Guide 6 of 8
API Keys
API keys authenticate SDK and REST API calls. Each key is tied to your user account and can access any inbox you have permission to reach. Assign scopes to limit what the key can do. The key value is shown only once — copy it immediately.
Create an API Key
Via web UI: Settings → API Keys → New API Key → enter a name → select scopes → optionally set an expiry date → Create → copy the key.
Via SDK:
const created = await mf.apiKeys.create({
name: 'github-actions-prod',
scopes: ['emails:read', 'inboxes:read'],
expires_at: '2026-12-31T00:00:00Z', // optional
});
console.log(created.key); // shown once — store this immediatelyAvailable Scopes
All scopes are available on every plan — scope availability is not tier-gated. Only grant the scopes your integration actually needs.
| Scope | What it allows |
|---|---|
| emails:read | List emails, read body and attachments, extract OTPs and URLs |
| emails:write | Delete emails |
| inboxes:read | List inboxes and read inbox metadata |
| inboxes:write | Create, update, and delete inboxes |
| aliases:read | List aliases and read alias metadata |
| aliases:write | Create and delete aliases |
| apikeys:read | List your API keys and read their metadata (not the key value) |
| apikeys:write | Create, revoke, and rotate your API keys |
Key Limits
| Plan | Max API keys |
|---|---|
| Free | 1 |
| Pro | 10 |
| Team | 10 per member |
Free plan users can rotate their one key without consuming their quota — rotation is quota-neutral.
Rotate a Key
The SDK provides an atomic rotate() method that revokes the old key and issues a new one
with the same name, scopes, and expiry in a single call. The old key is immediately invalid.
// Atomic rotation — old key revoked, new key returned in one call
const newKey = await mf.apiKeys.rotate(keyId);
console.log(newKey.key); // store this immediately — old key is now invalidTo revoke a key without replacement (e.g., decommissioning a CI secret):
await mf.apiKeys.revoke(keyId);