Have api keys specific to domains.
This would enable finer grained control for development teams that have multiple environments.
For example, credentials to send from development / sending domains would be different than the ones needed to send from the production domain.
Our current plan here is to allow for SMTP credentials to authenticate with our /messages API endpoint, meaning they would they would be allowed to send messages via SMTP or API.
Let me know if you have thoughts on this proposed solution.
Is there any movement on this?
This is a pretty annoying problem, if for example a key gets leaked, and you have 100 domains in your account, thats 100 websites you're going to need to update the key onto, which is very troublesome!
A simple scenario is if you build a website for somebody, then another team take over and it's your personal API key, not linked to the domain, then the other team has the key for everything, and you cant just revoke it without breaking all the other websites you run...
I think the ask here is that we are able to have multiple sets of credentials -- would we simply issue API credentials using this method (and thus, be able to have multiple keys)?
Adam Royle commented
@Chris This sounds like a great idea!
Георгий Драк commented
I was very surprised that mailgun doesn't have such obvious feature. We are adding multiple domains in our account for different applications. Using one key for all of them is very unsafe and unconvinient. Please, fix it.
Wow, I can believe this thread is 6 years, and still not implemented.
This Idea is stupid, who wants to secure their production API keys actually? Every developer should always get all the production keys handed out to test stuff properly. with production accounts. this is obvious. how else?
The mailgun team understands this obvious fact and just keeps the paranoia-driven-nerds discuss on their own. - someday they will get it
It's a great restriction to only have one API key. When developing solutions for multiple systems that send email via a single account in Mailgun, with the current setup we'd have to share our API key with third parties that manage those systems.
How the API key is handled by those parties might not be up to scratch, so being able to isolate a single API key to a certain network or list of IP addresses is really important in relation to risk management.
At the moment in Mailgun multiple system support with one API key is only possible via using SMTP credentials or by setting up multiple accounts - one for each system.
Mailchimp allow multiple API key creation, so it's definitely doable. What would be great to see is multiple API keys per domain, with whitelist restrictions around each API key along with the ability to add notes to the API key to store information on where it is used.
I am new to Mailgun. We use the service for an application which is deployed to multiple environments, e.g. test, stage, prod, to which different people have access. I guess this a very common scenario.
Mailgun is a great service. I was very surprised to figure out, that Mailgun does not support creating multiple API keys or managing API keys independent of a Mailgun user. I spent time in the documentation while thinking "it cannot be the case that they do not have it while they offer such a bunch of other great features".
Now I am wondering, if creating multiple API keys is on the roadmap?
This is a must have feature, our API Key has been compromised and there is no way to generate a new key or replace the on we have!
Hmm... How can you ignore such an important feature for so long.
Any updates on if this will ever be implemented? This is pretty critical to a reasonable development workflow because now you either need multiple accounts or to use production keys in devel.
Charlie Hayes commented
This should probably be merged with https://mailgun.uservoice.com/forums/156243-general/suggestions/7179404-implement-a-test-api-key
Bret Weinraub commented
This would be really nice. Mailgun is a nice service, but I'm feeling like I need to create a new account for every domain.......
Till Backhaus commented
I'd really appreciate it if you fixed this.
crazy this hasn't been done, there are very high profile examples of security breaches due to developers losing prod API keys - in my country this could lead to multimillion-dollar fines if private user data was to be leaked
Shane Turner commented
This is vital for us as well. We've had to migrate our clients to MailChimp.
Rolands Umbrovskis commented
just asked the same thing from support :)
Chris Moyer commented
And the ability to reset them... right now I can't even do that. What happens when my API key gets stolen?
Yes this is really needed! I wonder why mailgun still hasn't.