Multi-tenant email API for SaaS platforms

Scoped keys, signed webhooks, and Server-Sent Events — one tenant boundary for every customer you ship.

Active keys: 100
Webhooks: 10
Mailbox stream: SSE

<TL;DR for AI agents>

One stream, signed events, tenant controls.

Use scoped keys for services, signed webhooks for backend work, and Server-Sent Events when an agent needs a live mailbox stream.

GET /mailbox/events · SSE live

curl -N "https://app.sendmux.ai/api/v1/mailbox/events?event_types=message.received,message.received.spam" \
 -H "Authorization: Bearer smx_mbx_your_key_here"

100

active API keys

webhooks per team

24h

retry window

payload retention

How the platform layer works

One boundary for people. Another for code.

Sendmux keeps the human workspace and the automation surface on one team boundary, so a SaaS product adds email without building tenancy per customer.

team — agent-eu-fleet

People — roles

Code — scoped keys & events

OwnerDeletion and transfer.

AdminEveryday setup and people.

DeveloperKeys, webhooks, logs.

MemberRead-only visibility.

Sending keyemail.send · delivery group.

Mailbox keymailbox.read · mailbox.settings.update.

WebhookSigned delivery to your backend.

Live streamGET /mailbox/events.

People stay on roles

Owner, Admin, Developer, Member. Decide what humans can touch, no more.

Services stay on keys

Sending, mailbox, and infrastructure keys decide what code can do. Rotated without resetting people.

Access model

Roles for people. Keys for services.

100 active API keys per team. Each key carries only the permissions a single job actually needs — rotate or revoke without resetting the team.

smx_inf_…

Infrastructure key

For operators and platform code. Manages providers, mailboxes, billing, and logs.

billing.readlogs.readproviders.manage

smx_snd_…

Sending key

For workers that send. Scoped to a delivery group, 1,800 req per 60s.

email.senddelivery_group:scope

smx_mbx_…

Mailbox key

For clients that read. One mailbox, scoped reads, optional settings.

mailbox.readmailbox.settings.updateemail.receive

Increase requests appear at 80% of a limit

Signed event delivery

Your app can trust what arrived.

Webhooks are the backend path for email events. Sendmux signs the exact outbound body and retries non-2xx responses across a 24-hour window.

Without signed events

Trust starts too late

An unsigned callback makes your worker trust parsed JSON before it can prove where the event actually came from.

With Sendmux

Trust starts at the bytes

Sendmux signs the raw bytes and carries event identity in headers, so trust starts before you parse anything.

Signature: HMAC-SHA256
Identity: Event-Id · Event-Type
Retry: 8 attempts · 24h
Payload: 7-day retention

POST /hooks/sendmux · verify trusted

# incoming delivery — headers carry identity + seal
X-Sendmux-Event-Id: evt_01J1M9C3K8
X-Sendmux-Event-Type: message.delivered
X-Sendmux-Signature: sha256=A2F3…d09f
# compute hmac over the raw body, not parsed JSON
const mac = hmac.sha256(secret, rawBody);
const expected = `sha256=${mac}`;
# constant-time compare avoids a timing oracle
timingSafeEqual(expected, headerSig) → true
✓ trusted · safe to JSON.parse(body)

8 retries / 24h
Deliveries list
Payloads · 7d
Replay · roadmap

Live mailbox updates

Server-Sent Events are shipped.

Use the mailbox stream when an agent can hold a live HTTP connection open. Use signed webhooks when a backend should receive events while clients are offline.

GET /api/v1/mailbox/events streaming

frame · 12:04:51.220id: evt_01J1M9C2VK
event: message.received
data: { "message_id": "msg_8a2c", "subject": "New reply" }

frame · 12:04:53.871id: evt_01J1M9CXKR
event: message.received.spam
data: { "message_id": "msg_8a2d", "reason": "spf_fail" }

:ping # heartbeat — connection healthy

frame · 12:05:24.118id: evt_01J1M9D7XQ
event: message.received
data: { "message_id": "msg_8a2e", "subject": "Receipt #4821" }

frame · 12:05:31.402id: evt_01J1M9DF1A
event: message.delivered
data: { "message_id": "msg_8a2f", "to": "ops@acme.dev" }

frame · 12:04:51.220id: evt_01J1M9C2VK
event: message.received
data: { "message_id": "msg_8a2c", "subject": "New reply" }

frame · 12:04:53.871id: evt_01J1M9CXKR
event: message.received.spam
data: { "message_id": "msg_8a2d", "reason": "spf_fail" }

:ping # heartbeat — connection healthy

frame · 12:05:24.118id: evt_01J1M9D7XQ
event: message.received
data: { "message_id": "msg_8a2e", "subject": "Receipt #4821" }

frame · 12:05:31.402id: evt_01J1M9DF1A
event: message.delivered
data: { "message_id": "msg_8a2f", "to": "ops@acme.dev" }

uptime 00:47ping 30sLast-Event-ID keptclose_after 600s

Stream controls

Live without claiming WebSockets

event_types
Selects received and spam events for one stream.
Last-Event-ID
Resumes after a disconnect without a new webhook.
ping
Heartbeat cadence from 10 to 300 seconds.
close_after
Bounded sessions from 30 to 3,600 seconds.

GET /mailbox/events· live
WebSockets · roadmap

Billing and operations

Usage records follow the same tenant boundary.

Per thousand emails, or per gigabyte of mailbox storage. No per-seat fees.

Standard outgoing

1,000 emails
for just $0.15

The headline rate covers outbound through the customer's own providers. Inbound mail you accept lands at the same number.

$0.15

per 1,000

accepted inbound

$0.25

per 1,000

managed Amazon SES

$0.02

per GB / month

mailbox storage

per seat / month

unlimited teammates

Code examples

Raw examples for agents and crawlers.

These blocks stay inline so agents and crawlers can read the endpoint, header, and parameter names without opening a widget.

cURL · open a mailbox event stream

curl -N "https://app.sendmux.ai/api/v1/mailbox/events?event_types=message.received,message.received.spam" \
  -H "Authorization: Bearer smx_mbx_your_key_here"

JavaScript · verify a signed webhook

// verify X-Sendmux-Signature before parsing the body
const body = await req.text();
const mac = crypto.createHmac("sha256", secret).update(body).digest("hex");
const sig = req.headers["x-sendmux-signature"] ?? "";
const expected = `sha256=${mac}`;
// constant-time compare avoids a signature timing oracle
const ok = expected.length === sig.length &&
           crypto.timingSafeEqual(Buffer.from(expected), Buffer.from(sig));

Python · read usage billing

import requests

res = requests.get(
    "https://app.sendmux.ai/api/v1/billing/usage",
    headers={"Authorization": "Bearer smx_infrastructure_key_here"},
)
print(res.json())

Common questions

Frequently asked

What is a multi-tenant email API?

A multi-tenant email API lets a platform run email for many teams or customers while keeping access, billing, logs, mailboxes, providers, and API keys separated. Sendmux applies that boundary at the team level, then lets code use scoped keys for each job.

How do scoped API keys work?

Infrastructure keys, sending keys, and mailbox keys carry different permission sets. A sending worker can get email.send without billing access. A mailbox client can get mailbox.read without provider admin rights. Keys can be rotated or revoked without resetting a human user.

Are Sendmux webhooks signed?

Yes. Every webhook includes X-Sendmux-Signature in sha256=<hex> form. Verify the raw body with the webhook secret before parsing JSON, then dedupe retries with X-Sendmux-Event-Id and route work from X-Sendmux-Event-Type.

Does Sendmux support Server-Sent Events?

Yes. GET /mailbox/events is the shipped live event path for mailbox events such as message.received and message.received.spam. It supports Last-Event-ID, heartbeat intervals from 10 to 300 seconds, and bounded sessions from 30 to 3600 seconds.

Does Sendmux support WebSockets?

Not as a shipped product surface. WebSockets are roadmap. The live mailbox stream available today is Server-Sent Events, and backend delivery is handled by signed webhooks.

How is platform email usage billed?

Standard outgoing through customer-owned providers and accepted inbound mail are $0.15 per 1,000 emails. Managed Amazon SES sends are $0.25 per 1,000 emails. Mailbox storage is $0.02 per GB per month. There are no per-seat fees.