Mailofly Docs

Product guide

API keys

API keys authenticate requests to Mailofly’s public /api/v1 routes. Each key is tied to your user, can have a label and optional expiry, and uses the mf_live_ prefix so you can spot secrets in config files.

What it is

When you create a key, the full secret is shown once. The app stores only a hash server-side. Send the key as Authorization: Bearer <key>. Your deployment must have the service role credential configured so Mailofly can validate keys.

How it helps

  • Automation — scripts and backends can manage contacts, campaigns, and sends without browser login.
  • Rotation — create multiple keys, retire old ones, set expiries for contractors.
  • Least privilege mindset — keys act as the owning user; combine with your own policies for who can create them.

How to use it

Visit API keys, create a key, copy it into your environment or secret manager, then call the API from your stack. Use GET /api/v1 without a key to discover routes.

Vs only using Supabase keys

Direct database keys would bypass Mailofly’s business rules. The Mailofly API key maps to your user through the app’s validation layer so quotas, RLS-backed data access, and campaign logic stay consistent.

Related