Authentication
Every request is authenticated with an API key sent as a bearer token.
The API authenticates requests with an API key. Send it in the Authorization header as a bearer
token on every request:
A missing or invalid key returns 401 Unauthorized as application/problem+json.
Key types
A live key only works against production; a test key only works against the sandbox. Sending a test
key to production (or vice-versa) is rejected as 401.
Managing keys
Create, view, and rotate keys in your USGM dashboard. Each key acts on one customer’s mailbox — everything the key can do runs as that customer.
Store keys in environment variables or a secrets manager, never in source control or client-side code. If a key leaks, rotate it immediately — a rotated key stops working right away.
Best practices
- One key per integration. Use a dedicated key per app or agent so you can rotate one without disrupting the others.
- Prefer the sandbox while building. Point at
https://api-sandbox.usglobalmail.comwith ausgmk_test_…key until you’re ready to handle live mail. - Rotate on a schedule and on any suspected exposure.