We need a more in-depth permissions management system with the API. Right now, only the admin role can create SMTP credentials. We are not comfortable having an admin API key floating around, that if someone malicious is putting his hand on it, he could be able to delete every existing SMTP keys / users. A permissions system instead of roles could be a great idea. If it's too complicated, you can create a new role for adding SMTP credentials only. Or maybe simply add the permission to create keys, but not delete, to the developers role.