Authentication
Learn how to authenticate with the Taifa Mail API using API keys, JWT cookies, or OAuth.
All Taifa Mail API requests require authentication. There are three methods depending on your use case.
Method 1: API Key (recommended for backends)
Best for server-to-server communication, scripts, and CI/CD pipelines.
Create an API key at Settings → API Keys, then send it as a Bearer token:
API keys use the tfm_k_ prefix and carry a set of permission scopes. See API Keys for details on creating, scoping and managing keys.
Method 2: JWT Cookie (dashboard sessions)
When you sign into the Taifa Mail dashboard via Google or GitHub OAuth, the server issues a JWT stored in an HttpOnly, Secure, SameSite=Strict cookie. The browser sends this cookie automatically with every request.
You do not need to manage JWT cookies manually. This method is used internally by the dashboard frontend.
The JWT also carries your active workspace, so dashboard requests are automatically scoped to the workspace you are viewing. Besides Google and GitHub OAuth, the dashboard also supports magic-link sign-in and optional two-factor authentication.
OAuth flow
- User visits
/auth/googleor/auth/github. - Taifa Mail redirects to the OAuth provider.
- Provider redirects back with an authorization code.
- Taifa Mail exchanges the code for a user profile.
- Taifa Mail creates or updates the local user record.
- Taifa Mail issues a JWT and sets it as an
HttpOnlycookie. - User is redirected to the dashboard.
JWT details
| Property | Value |
|---|---|
| Algorithm | HS256 |
| Access token lifetime | 60 minutes |
| Refresh token lifetime | 30 days |
| Cookie flags | HttpOnly, Secure, SameSite=Strict |
Method 3: OAuth (AI assistants / MCP)
Taifa Mail is also an OAuth 2.1 authorization server, used by AI assistants that connect through the MCP server.
A client registers via Dynamic Client Registration (RFC 7591) and runs
the authorization-code flow with PKCE. The user signs in and approves
the connection on a consent screen; the client receives a short-lived
mcp_access token. The API accepts that token in the same
Authorization: Bearer header as an API key.
Discovery metadata is published at:
/.well-known/oauth-authorization-server/.well-known/oauth-protected-resource(served by the MCP server)
Each connection is recorded as a grant. Revoking it from Settings → Connections in the dashboard invalidates the token immediately. You normally never set this up by hand - your AI client runs the whole flow. See the MCP server guide.
Which method to use
| Scenario | Method |
|---|---|
| Backend sending emails | API Key |
| Script or CLI tool | API Key |
| CI/CD pipeline | API Key |
| Browser-based dashboard | JWT Cookie (automatic) |
| Custom frontend calling Taifa Mail API | API Key (from your backend, not the browser) |
| AI assistant / MCP client | OAuth (or an API key) |
Never expose API keys in client-side code (browser JavaScript, mobile apps). Always proxy API calls through your own backend.
Error responses
| Status | Meaning |
|---|---|
401 Unauthorized | No token provided, or the token is invalid/expired. |
403 Forbidden | Token is valid but you do not have permission for this action (e.g. admin-only endpoint, plan limit reached). |
401 example:
403 example:
If you receive a 401 error with a valid API key, check that the key has not been revoked and that you are including the Bearer prefix in the Authorization header.