Taifa MailTaifa Mail Docs
Security

API Keys

Create and manage API keys for programmatic access to the Taifa Mail API.

API keys let you authenticate with the Taifa Mail API from your backend, scripts, or CI/CD pipelines without using browser-based login.

Creating an API key

  1. Go to SettingsAPI Keys.
  2. Click Create API Key.
  3. Give the key a descriptive name (e.g. "Production backend", "Staging tests").
  4. Choose the permission scopes the key should carry (see Permissions below). New keys default to the send scope.
  5. Click Create.
  6. Copy the key immediately.

The full API key is shown only once at creation time. If you lose it, you must delete the key and create a new one. There is no way to retrieve an existing key.

The number of active keys you can hold depends on your plan. When you reach the limit, delete an unused key before creating another.

Key format

All Taifa Mail API keys use the prefix tfm_k_ followed by a random string:

tfm_k_7f3a9b2c1d4e5f6a8b9c0d1e2f3a4b5c

The prefix makes keys easy to identify in logs and secret scanners. Only a short prefix of each key is stored on our side; the rest is hashed, so the full key cannot be recovered after creation.

Using an API key

Pass the key in the Authorization header as a Bearer token:

curl https://govconnect.ke/v1/emails \
  -H "Authorization: Bearer tfm_k_YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "from_": {"email": "hello@yourdomain.com", "name": "Your Company"},
    "to": [{"email": "recipient@example.com", "name": "Jane"}],
    "subject": "Hello from Taifa Mail",
    "html": "<p>This is a test email.</p>",
    "text": "This is a test email."
  }'

Python example

import requests
 
response = requests.post(
    "https://govconnect.ke/v1/emails",
    headers={"Authorization": "Bearer tfm_k_YOUR_API_KEY"},
    json={
        "from_": {"email": "hello@yourdomain.com", "name": "Your Company"},
        "to": [{"email": "recipient@example.com", "name": "Jane"}],
        "subject": "Hello from Taifa Mail",
        "html": "<p>This is a test email.</p>",
        "text": "This is a test email.",
    },
)
print(response.json())

Node.js example

const response = await fetch("https://govconnect.ke/v1/emails", {
  method: "POST",
  headers: {
    Authorization: "Bearer tfm_k_YOUR_API_KEY",
    "Content-Type": "application/json",
  },
  body: JSON.stringify({
    from_: { email: "hello@yourdomain.com", name: "Your Company" },
    to: [{ email: "recipient@example.com", name: "Jane" }],
    subject: "Hello from Taifa Mail",
    html: "<p>This is a test email.</p>",
    text: "This is a test email.",
  }),
});
const data = await response.json();
console.log(data);

Permissions

Every API key carries a list of permission scopes, set when the key is created. A key only grants the scopes it was issued with - it is not a full-access credential. New keys default to the send scope.

Each key's scopes are shown next to it in Settings → API Keys, along with its prefix, creation date, and when it was last used. Scope a key down to what the integration actually needs, and use separate keys for separate systems so you can revoke one without affecting the rest.

Revoking a key

  1. Go to SettingsAPI Keys.
  2. Click Delete next to the key you want to revoke.
  3. Confirm the deletion.

Revocation takes effect immediately - the key is deactivated and any request using it is rejected. Revoked keys are removed from the list and cannot be reactivated.

Rotate your API keys periodically. If you suspect a key has been compromised, revoke it immediately and create a new one.

Security best practices

  • Never commit API keys to version control. Use environment variables or a secrets manager.
  • Use different keys for production and staging environments.
  • Delete keys that are no longer in use.
  • Monitor your API usage in SettingsAPI Keys for unexpected activity.

On this page