Fortsend API
Everything is a JSON HTTP API under https://fortsend.com/api. Responses wrap payloads in a data field; failures return an error message and a meaningful status code.
Quickstart
- Sign in to the dashboard and add your sender domain.
- Create the DNS records shown for the domain at your DNS provider, then click “Check DNS”.
- Create a mailbox (for example
noreply@yourdomain.com) once the domain is provisioned. - Create an API key and store the secret — it is shown exactly once.
- Send email with one POST request.
curl -X POST https://fortsend.com/api/send \
-H "Authorization: Bearer fs_your_api_key" \
-H "Content-Type: application/json" \
-d '{
"from": "noreply@yourdomain.com",
"to": "customer@example.com",
"subject": "Your receipt",
"text": "Thanks for your order.",
"html": "<p>Thanks for your order.</p>"
}'A successful call returns HTTP 202:
{
"data": {
"id": "msg_…",
"from": "noreply@yourdomain.com",
"to": "customer@example.com",
"subject": "Your receipt",
"status": "sent",
"messageId": "…",
"createdAt": "2026-06-10T12:00:00.000Z"
}
}Authentication
The send endpoint authenticates with a bearer API key: Authorization: Bearer fs_…. Keys carry the email:send scope only — they can never manage domains, mailboxes, or other keys. Management endpoints authenticate with your dashboard session (Clerk). Secrets are stored as SHA-256 hashes; a lost key cannot be recovered, only revoked and replaced.
Endpoints
| Method | Path | Auth | Purpose |
|---|---|---|---|
POST | /api/send | API key or session | Send a transactional email from a verified domain. |
GET | /api/workspace | Session | Full workspace snapshot: domains, mailboxes, keys, activity, usage. |
GET | /api/domains | Session | List sender domains. |
POST | /api/domains | Session | Add a sender domain and receive its DNS records. |
POST | /api/domains/{domainId}/verify | Session | Re-check DNS and provision the domain when records resolve. |
POST | /api/domains/{domainId}/diagnose | Session | Get a plain-language explanation of failing DNS records, when the deliverability assistant is enabled. |
DELETE | /api/domains/{domainId} | Session | Delete a domain and its mailboxes. |
GET | /api/mailboxes | Session | List mailboxes. |
POST | /api/mailboxes | Session | Create a mailbox on a provisioned domain. Returns a one-time password. |
DELETE | /api/mailboxes/{mailboxId} | Session | Delete a mailbox. |
GET | /api/api-keys | Session | List API keys (previews only, never secrets). |
POST | /api/api-keys | Session | Create an API key. The secret is returned exactly once. |
DELETE | /api/api-keys/{keyId} | Session | Revoke an API key immediately. |
Domain verification records
Adding a domain returns these records. Ownership and MX must resolve before the domain is provisioned.
| Record | Host | Value | Purpose |
|---|---|---|---|
TXT | _fortsend.yourdomain.com | fortsend-verify=<token> | Proves domain ownership. |
MX | yourdomain.com | 10 <mail host> | Routes mail through your mail host. |
SPF (TXT) | yourdomain.com | v=spf1 mx -all | Authorizes your mail host to send. |
DMARC (TXT) | _dmarc.yourdomain.com | v=DMARC1; p=none; rua=mailto:postmaster@yourdomain.com | Alignment reporting policy. |
DKIM (TXT) | default._domainkey.yourdomain.com | Provisioned with the domain | Cryptographically signs outbound mail. |
Limits
- Send rate: 120 requests per minute per workspace by default. Exceeding it returns 429 with a
Retry-Afterheader. - Monthly quota: enforced per workspace against your plan. Quota exhaustion returns 429.
- Payload: subject up to 998 characters; text and HTML bodies up to 500,000 characters each.
Errors
| Status | Meaning |
|---|---|
400 | Validation failed — the error field explains which input to fix. |
401 | Missing or invalid credentials (bad API key, or no session). |
403 | Authenticated, but the API key lacks the email:send scope. |
429 | Rate limit or monthly quota reached. Honor the Retry-After header. |
502 | The mail provider rejected the send; the log records the reason. |