API Keys API
API reference for creating, listing, and revoking API keys in Taifa Mail.
Base URL: https://govconnect.ke/v1
All endpoints require authentication via API Key or JWT cookie.
Create an API key
Creates a new API key for programmatic access to the Taifa Mail API. The raw key is returned only once in the response. Store it securely.
Request body:
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
name | string | Yes | -- | A human-readable name for the key. |
permissions | string[] | No | ["send"] | Permissions granted to this key. |
Available permissions
Keys are deny-by-default: a route protected by a scope only accepts a key that carries that scope. The canonical scopes are:
| Scope | Description |
|---|---|
emails:send | Send transactional and batch emails. |
emails:read | Read emails, events, and search. |
domains:read | Read domains and their DNS records. |
domains:write | Create, verify, and manage domains. |
contacts:read | Read contact lists and contacts. |
contacts:write | Create and modify contacts and lists. |
webhooks:read | Read webhook endpoints and deliveries. |
webhooks:write | Create and manage webhook endpoints. |
analytics:read | Read analytics. |
You can also store group aliases in permissions, which expand to the
scopes above: send (the historic default) expands to emails:send,
read to emails:read, emails to both email scopes, domains,
contacts, and webhooks to their read+write pair, and *, all,
admin, or full to every canonical scope.
When permissions is omitted it defaults to ["send"], granting
emails:send only.
Response (201 Created):
The full key value starts with tfm_k_ and is passed as Authorization: Bearer tfm_k_.... The key_prefix is the first 8 characters after the tfm_k_ prefix and is used to identify the key in list responses.
The key field is only returned when the key is created. It cannot be retrieved again. If you lose it, revoke the key and create a new one.
cURL
Python
Node.js
List API keys
Returns an array of active API keys for the authenticated account. The raw key value is never returned in list responses; only the prefix is shown.
Response:
Python
Node.js
Deactivate an API key
Permanently deactivates an API key. Any requests made with this key after deactivation will receive a 401 Unauthorized response.
| Parameter | Type | Description |
|---|---|---|
key_id | UUID (path) | The ID of the API key to deactivate. |
Response (204 No Content):
No response body.
Python
Node.js
Deactivating a key is irreversible. If you need access again, create a new key. Deactivated keys are excluded from the list response.
Errors
| Status | Description |
|---|---|
401 Unauthorized | Missing or invalid authentication. |
404 Not Found | The specified key ID does not exist or does not belong to your account. |