Documentation

Fortsend API

Everything is a JSON HTTP API under https://fortsend.com/api. Responses wrap payloads in a data field; failures return an error message and a meaningful status code.

Quickstart

  1. Sign in to the dashboard and add your sender domain.
  2. Create the DNS records shown for the domain at your DNS provider, then click “Check DNS”.
  3. Create a mailbox (for example noreply@yourdomain.com) once the domain is provisioned.
  4. Create an API key and store the secret — it is shown exactly once.
  5. Send email with one POST request.
curl -X POST https://fortsend.com/api/send \
  -H "Authorization: Bearer fs_your_api_key" \
  -H "Content-Type: application/json" \
  -d '{
    "from": "noreply@yourdomain.com",
    "to": "customer@example.com",
    "subject": "Your receipt",
    "text": "Thanks for your order.",
    "html": "<p>Thanks for your order.</p>"
  }'

A successful call returns HTTP 202:

{
  "data": {
    "id": "msg_…",
    "from": "noreply@yourdomain.com",
    "to": "customer@example.com",
    "subject": "Your receipt",
    "status": "sent",
    "messageId": "…",
    "createdAt": "2026-06-10T12:00:00.000Z"
  }
}

Authentication

The send endpoint authenticates with a bearer API key: Authorization: Bearer fs_…. Keys carry the email:send scope only — they can never manage domains, mailboxes, or other keys. Management endpoints authenticate with your dashboard session (Clerk). Secrets are stored as SHA-256 hashes; a lost key cannot be recovered, only revoked and replaced.

Endpoints

MethodPathAuthPurpose
POST/api/sendAPI key or sessionSend a transactional email from a verified domain.
GET/api/workspaceSessionFull workspace snapshot: domains, mailboxes, keys, activity, usage.
GET/api/domainsSessionList sender domains.
POST/api/domainsSessionAdd a sender domain and receive its DNS records.
POST/api/domains/{domainId}/verifySessionRe-check DNS and provision the domain when records resolve.
POST/api/domains/{domainId}/diagnoseSessionGet a plain-language explanation of failing DNS records, when the deliverability assistant is enabled.
DELETE/api/domains/{domainId}SessionDelete a domain and its mailboxes.
GET/api/mailboxesSessionList mailboxes.
POST/api/mailboxesSessionCreate a mailbox on a provisioned domain. Returns a one-time password.
DELETE/api/mailboxes/{mailboxId}SessionDelete a mailbox.
GET/api/api-keysSessionList API keys (previews only, never secrets).
POST/api/api-keysSessionCreate an API key. The secret is returned exactly once.
DELETE/api/api-keys/{keyId}SessionRevoke an API key immediately.

Domain verification records

Adding a domain returns these records. Ownership and MX must resolve before the domain is provisioned.

RecordHostValuePurpose
TXT_fortsend.yourdomain.comfortsend-verify=<token>Proves domain ownership.
MXyourdomain.com10 <mail host>Routes mail through your mail host.
SPF (TXT)yourdomain.comv=spf1 mx -allAuthorizes your mail host to send.
DMARC (TXT)_dmarc.yourdomain.comv=DMARC1; p=none; rua=mailto:postmaster@yourdomain.comAlignment reporting policy.
DKIM (TXT)default._domainkey.yourdomain.comProvisioned with the domainCryptographically signs outbound mail.

Limits

  • Send rate: 120 requests per minute per workspace by default. Exceeding it returns 429 with a Retry-After header.
  • Monthly quota: enforced per workspace against your plan. Quota exhaustion returns 429.
  • Payload: subject up to 998 characters; text and HTML bodies up to 500,000 characters each.

Errors

StatusMeaning
400Validation failed — the error field explains which input to fix.
401Missing or invalid credentials (bad API key, or no session).
403Authenticated, but the API key lacks the email:send scope.
429Rate limit or monthly quota reached. Honor the Retry-After header.
502The mail provider rejected the send; the log records the reason.