REST API Reference
Programmatic access to mailboxes, domains, and email via API keys.
Authentication
API keys authenticate requests to the laim.email REST API and JMAP endpoints. Include your key in the Authorization header:
Authorization: Bearer lm_sk_live_...
Key Format
- Live keys:
lm_sk_live_<32 chars>— full access to production resources - Test keys:
lm_sk_test_<32 chars>— sandbox mode (emails captured, never delivered)
Keys are hashed with SHA-256 before storage. The raw key is returned once on creation and cannot be retrieved afterward. Create keys via Dashboard → Developer → API Keys (session auth required). API keys cannot create other API keys.
If the key is invalid, the request fails immediately — it does not fall back to session cookie auth.
Endpoints
| Method | Path | Scope Required |
|---|---|---|
| GET | /api/v1/mailboxes | mailbox:read |
| POST | /api/v1/mailboxes | mailbox:create |
| GET | /api/v1/domains | domain:read |
| POST | /api/v1/domains | domain:manage |
| GET | /api/v1/mailboxes/quota-status | mailbox:read |
| POST | /api/v1/mailboxes/:id/disable | mailbox:manage |
| POST | /api/v1/mailboxes/:id/quota | mailbox:manage |
| DELETE | /api/v1/mailboxes/:id | mailbox:manage |
| POST | /api/v1/domains/:id/verify | domain:manage |
| POST | /api/v1/domains/:id/enable-outbound | domain:manage |
| POST | /api/v1/domains/:id/suspend-outbound | domain:manage |
JMAP Endpoints
All JMAP proxy routes also accept API key authentication.
| Method | Path | Sandbox Enforcement |
|---|---|---|
| GET | /jmap/session | N/A (read-only) |
| POST | /jmap/ | Blocks Email/set and EmailSubmission/set |
| POST | /jmap/upload/:accountId | N/A (upload only) |
Scopes
Each key has a list of scopes controlling which endpoints it can access. Format: resource:action.
| Scope | Grants Access To |
|---|---|
mailbox:read | mailboxes.list, mailboxes.quotaStatus |
mailbox:create | mailboxes.create |
mailbox:manage | mailboxes.setMailboxQuota, mailboxes.disable, mailboxes.delete |
mailbox:* | All mailbox operations |
domain:read | domains.list |
domain:manage | domains.add, domains.verify, domains.enableOutbound, domains.suspendOutbound |
domain:* | All domain operations |
developer:read | developer.rateLimits, developer.requestRateLimits |
developer:* | All developer operations |
* | All API-exposed operations (global wildcard) |
Scope Matching Rules
- Exact match:
mailbox:readgrants access to procedures requiringmailbox:read - Resource wildcard:
mailbox:*grants access to all procedures under themailboxresource - Global wildcard:
*grants access to all API-exposed procedures - Empty scopes:
[]grants no API access at all
Sandbox Mode
Test keys (lm_sk_test_*) activate sandbox mode, designed like Stripe's test mode:
| Behavior | Live Key | Test Key |
|---|---|---|
| Create mailboxes | Yes | Yes |
| List domains | Yes | Yes |
| Send email (JMAP Email/set) | Delivered to recipient | Synthetic success (not delivered) |
| Submit email (JMAP EmailSubmission/set) | Delivered | Synthetic success (not delivered) |
| JMAP session / read operations | Yes | Yes |
| Webhooks | Fire normally | Fire normally |
Rate Limits
Per-organization rate limits apply to both session and API key requests:
| Protocol | Limit |
|---|---|
| SMTP | 60 requests/min |
| IMAP | 120 requests/min |
| JMAP | 300 requests/min |
Rate Limit Headers
Returned on all API responses:
X-RateLimit-Limit— requests allowed per windowX-RateLimit-Remaining— requests remainingX-RateLimit-Reset— window reset time (Unix epoch seconds)
Session-Only Endpoints
The following endpoints are not accessible via API keys and require dashboard session authentication:
- Billing (
billing.*) - Organization management (
orgs.*) - IMAP imports (
imports.*) - Data export (
data.*) - Usage snapshots (
usage.*) - Abuse controls (
abuse.*) - API key management (create, revoke, list)
