Authentication
Bearer-token auth on every request.
Every request to api.ephemail.io must include an Authorization header.
curl https://api.ephemail.io/v1/addresses \
-H "Authorization: Bearer sk_live_xxx"Key scopes
read— list and fetch addresses, messages, domainswrite— create/delete addresses, send mail, manage webhooksadmin— manage members, billing, security
IP allowlists
Restrict each key to a list of CIDRs in Settings → API keys. Requests from other IPs return 403.
Rotation
Rotate keys without downtime: create a second key, deploy, then revoke the old one. Revocation is immediate.