API keys in MailFork work differently now. Previously, creating a key required you to be part of an org or team — which blocked Free and Pro users who just wanted to automate against their personal inboxes. That restriction is gone.
Keys are now tied to your user account. If you have a MailFork account, you can create an API key.
What changed
Before: Keys were scoped to an org. Creating one required navigating org settings, which didn’t exist for personal (Free/Pro) accounts at all.
Now: Keys live under Settings → API Keys — one place, regardless of whether you’re on a personal plan or part of a team. All your keys in one list.
Creating a key
const created = await mf.apiKeys.create({
name: 'ci-pipeline',
scopes: ['emails:read', 'inboxes:read'],
});
console.log(created.key); // save this — shown only once
The key value is returned once on creation. Store it in a secrets manager (GitHub Actions Secrets, AWS Secrets Manager, etc.) before dismissing the dialog.
Scopes
Eight scopes, no tier-gating — all plans get access to all of them:
| Scope | What it allows |
|---|---|
emails:read | List emails, read body, extract OTPs and URLs |
emails:write | Delete emails |
inboxes:read | List inboxes and metadata |
inboxes:write | Create, update, and delete inboxes |
aliases:read | List aliases |
aliases:write | Create and delete aliases |
apikeys:read | List your keys |
apikeys:write | Create, revoke, and rotate keys |
Only grant what your integration actually needs. A CI pipeline that reads emails and creates aliases only needs emails:read and aliases:write.
Key limits
| Plan | Keys |
|---|---|
| Free | 1 |
| Pro | 10 |
| Team | 10 per member |
Rotating keys without downtime
The SDK now has an atomic rotate() method. It revokes the old key and issues a new one — with the same name, scopes, and expiry — in a single call. There’s no window where you have zero valid keys.
// Old key is immediately invalid after this call
const newKey = await mf.apiKeys.rotate(keyId);
console.log(newKey.key); // store this immediately
Free plan users can rotate their one key without it counting against their quota. Rotation is quota-neutral — the key count stays at one.
If you need to revoke without replacing:
await mf.apiKeys.revoke(keyId);
Listing your keys
const keys = await mf.apiKeys.list();
// Returns non-revoked keys — key_prefix shown, not the full value
The list returns metadata — name, scopes, expiry, last used — not the plaintext key. The key itself is only available at creation time.
To get started, go to Settings → API Keys in the MailFork web app, or see the API Keys guide for the full reference.