Provide sending API keys specific to domains.
This would enable finer grained control for development teams that have multiple environments or applications using the same account.
For example, credentials to send from development / sending domains would be different than the ones needed to send from the production domain.
I’m happy to announce that we’ve released our Domain Sending Keys feature. Domain Sending Keys will allow you to create multiple API keys, similar to SMTP credentials, per domain that will only allow sending messages via our /messages and /messages.mime endpoints for the domain the key was created for.
Domain Sending Keys are available on your account today. You can assign new keys to your domains by navigating to “Sending” > “Domains”, select a sending domain, then click on “Domain Settings” and then on the Sending API keys tab. From there, click on “Add Sending Key”, provide a useful description, hit “Create Sending Key”, copy your key and add to your application and start sending!
We hope you enjoy using this new feature!
Shrikrishna Holla commented
This seems to just solve it for sending emails though. We have receiving hooks as well, and need to be able to use the apis to register new routes etc in dev, and it doesn't seem good that we have to use the single api key in dev too. Kindly allow using the generated sending keys with other api endpoints too, or add a new mechanism for the same
Daniel Marashlian commented
Chris, what's the expected rollout date to allow SMTP credentials to authenticate against the API?
Matthew Sammut commented
This is a must to have especially when companies like ourselves use Mailgun across hundreds of websites. If something has to go south on one of them, we will have to go through all the sites to change the API key which is ridiculous!
Omar Tanti commented
Ideally (which would also be backwards compatible) the current global api key is still there and devs can still use it to to any domain they want, but we should have another api key available per domain. When setting up the domain we can either set the domain to use the global API key for authentication or else authenticate with the domain's respective api key only.
This would make it much safer since every domain can have its own API key and if an API key s compromised it is only related to one domain. It would also make it much easier for us developers to regenerate and reset the domain's API key since we do not have to go through all our domains.
Luke rohde commented
We were using shared API credentials for a dozen domains, probably because of difficulty with SMTPS.
We just had a credentials breach, and it made it hard to track down the system with the vulnerability.
I would love a per domain API key.
Ruben de Vries commented
it's insane this has been open for years, we need to give all our engineers access to being able to send mail from any domain just for them to be able to test any mail related features from their dev env ...
Is there any movement on this?
This is a pretty annoying problem, if for example a key gets leaked, and you have 100 domains in your account, thats 100 websites you're going to need to update the key onto, which is very troublesome!
A simple scenario is if you build a website for somebody, then another team take over and it's your personal API key, not linked to the domain, then the other team has the key for everything, and you cant just revoke it without breaking all the other websites you run...
I think the ask here is that we are able to have multiple sets of credentials -- would we simply issue API credentials using this method (and thus, be able to have multiple keys)?
Adam Royle commented
@Chris This sounds like a great idea!
Георгий Драк commented
I was very surprised that mailgun doesn't have such obvious feature. We are adding multiple domains in our account for different applications. Using one key for all of them is very unsafe and unconvinient. Please, fix it.
Wow, I can believe this thread is 6 years, and still not implemented.
This Idea is stupid, who wants to secure their production API keys actually? Every developer should always get all the production keys handed out to test stuff properly. with production accounts. this is obvious. how else?
The mailgun team understands this obvious fact and just keeps the paranoia-driven-nerds discuss on their own. - someday they will get it
It's a great restriction to only have one API key. When developing solutions for multiple systems that send email via a single account in Mailgun, with the current setup we'd have to share our API key with third parties that manage those systems.
How the API key is handled by those parties might not be up to scratch, so being able to isolate a single API key to a certain network or list of IP addresses is really important in relation to risk management.
At the moment in Mailgun multiple system support with one API key is only possible via using SMTP credentials or by setting up multiple accounts - one for each system.
Mailchimp allow multiple API key creation, so it's definitely doable. What would be great to see is multiple API keys per domain, with whitelist restrictions around each API key along with the ability to add notes to the API key to store information on where it is used.
I am new to Mailgun. We use the service for an application which is deployed to multiple environments, e.g. test, stage, prod, to which different people have access. I guess this a very common scenario.
Mailgun is a great service. I was very surprised to figure out, that Mailgun does not support creating multiple API keys or managing API keys independent of a Mailgun user. I spent time in the documentation while thinking "it cannot be the case that they do not have it while they offer such a bunch of other great features".
Now I am wondering, if creating multiple API keys is on the roadmap?
This is a must have feature, our API Key has been compromised and there is no way to generate a new key or replace the on we have!
Hmm... How can you ignore such an important feature for so long.
Any updates on if this will ever be implemented? This is pretty critical to a reasonable development workflow because now you either need multiple accounts or to use production keys in devel.
Charlie Hayes commented
This should probably be merged with https://mailgun.uservoice.com/forums/156243-general/suggestions/7179404-implement-a-test-api-key
Bret Weinraub commented
This would be really nice. Mailgun is a nice service, but I'm feeling like I need to create a new account for every domain.......
Till Backhaus commented
I'd really appreciate it if you fixed this.