Getting started
Authentication
Every request to the API carries a single Bearer token — your API key. There are no OAuth dances to reach the API itself; the key is the whole contract.
API keys
Create keys in the dashboard under Settings → API keys. A key looks like pmi_live_9f2c8b1e4a7d… and is shown to you exactly once, at creation. PostMyIsh stores only its SHA-256 hash (plus a short prefix and the last four characters for display), so a database leak never exposes a usable credential — and there’s no way to recover a key later. Lost it? Revoke it and mint a new one.
Send the key
Pass the key in the Authorization header using the Bearer scheme:
Authorization: Bearer pmi_live_9f2c8b1e4a7d…The quickest way to confirm a key works is Get current user, which echoes back your plan, limits, and usage.
curl https://postmyish.com/api/v1/me \
-H "Authorization: Bearer $POSTMYISH_KEY"Treat keys like passwords
Managing keys
- Create several. Give each project or environment its own named key so you can rotate one without disturbing the rest.
- Revoke instantly. Revoking a key takes effect on the next request — the token stops resolving and every call returns
401. - Watch usage. Each authenticated request counts toward your monthly allowance. See the running total under
usage.api_calls_this_monthfrom Get current user, and the ceilings in Rate limits & plans.
When authentication fails
Both cases return HTTP 401 with a descriptive error message:
| Situation | Response |
|---|---|
| No or malformed Authorization header | Missing API key. Send `Authorization: Bearer pmi_live_…`. |
| Unknown or revoked key | Invalid or revoked API key. |
Best practices
- Load keys from environment variables, never hard-coded literals.
- Use separate keys for development and production.
- Rotate on a schedule, and immediately if a key may have leaked.
- Keep all calls on your server. If a browser or app needs to publish, proxy the request through your backend so the key never reaches the client.