API reference
Send email
Send transactional mail only from your verified custom domains over HTTPS — password resets, receipts, alerts, and similar event-driven messages. Not for newsletters or marketing bulk. One endpoint, domain-scoped API keys, delivery through AWS SES.
Overview
Generate keys in Account → Domains → your domain → API after DNS verification is complete. The full secret is shown once — store it securely. Optional SMTP credentials in the same Domains panel follow the same transactional-only rules.
Transactional mail only
Unbox HTTP API (POST /v1/email) and optional SMTP submission are for transactional mail only — messages tied to an account action, purchase, or operational event. They are not a newsletter or marketing broadcast service.
Permitted uses
- Account verification, password resets, and security alerts
- Order confirmations, receipts, shipping updates, and payment notices
- Notifications triggered by a specific user or system event
- Team and workspace messages (invites, assignments, internal alerts)
Prohibited uses
- Newsletters, promotional campaigns, or broadcast marketing
- Cold outreach or mail to purchased, scraped, or non-consenting lists
- Affiliate spam, phishing, or deceptive content
- Any attempt to bypass recipient caps, rate limits, or plan quotas
Rate and recipient limits
To protect recipients and deliverability, outbound API and SMTP traffic is subject to the limits below (in addition to your plan's monthly outbound quota). Enforcement is live on the web composer, HTTP API, and SMTP submission. The web composer warns after 25 recipients per message and blocks sends above 50.
| Limit | Value |
|---|---|
| Recipients per message | Up to 50 total (To + Cc + Bcc combined) |
| Unique recipients per day | Up to 1,000 per workspace |
| Send request rate | Up to 10 API or SMTP submissions per minute per domain |
| Plan outbound quota | Monthly send limits on your subscription still apply |
These rules are part of our Acceptable Use Policy. Automated enforcement is live on the web composer, HTTP API, and SMTP submission. Accounts that send marketing or bulk mail, or otherwise abuse sending infrastructure, may be throttled, suspended, or terminated.
We monitor deliverability signals. Sustained bounce rates above 3% or complaint rates above 0.1% may trigger a temporary send pause or manual review.
See our Terms of Service, Privacy Policy, and GDPR Statement for full policy details.
Authentication
Send your domain API key on every request:
Authorization: Bearer ubk_live_xxxxxxxxxxxxxxxxxxxxxxxxAlternatively, use X-Api-Key: ubk_live_…. Keys are stored hashed; revoke or rotate from the Domains dashboard.
Request body
JSON with PascalCase field names (From, To, …). camelCase aliases are also accepted.
| Field | Required | Description |
|---|---|---|
From | Yes | Sender — your personal mailbox on the key's domain (primary or alias). Shared queues are not valid senders. |
To | Yes | Recipient(s) — string, comma-separated string, or array |
Subject | Yes | Subject line |
TextBody | One of TextBody / HtmlBody | Plain text body |
HtmlBody | One of TextBody / HtmlBody | HTML body |
Cc | No | Copy recipients |
Bcc | No | Blind copy recipients |
ReplyTo | No | Reply-To address |
Tag | No | Optional metadata tag (stored with the send) |
Example
{
"From": "you@yourdomain.com",
"To": "user@example.com",
"Subject": "Welcome",
"TextBody": "Thanks for signing up.",
"HtmlBody": "<p>Thanks for signing up.</p>",
"ReplyTo": "you@yourdomain.com",
"Tag": "welcome"
}Success response
HTTP 200 with JSON:
{
"ErrorCode": 0,
"Message": "OK",
"MessageID": "0100018…-000000-…",
"SubmittedAt": "2026-06-23T12:00:00.000Z",
"To": "user@example.com"
}Error responses
Errors return 4xx (or 500 for unexpected failures) with JSON:
{
"ErrorCode": 300,
"Message": "TextBody or HtmlBody is required."
}| ErrorCode | Meaning |
|---|---|
0 | Success |
10 | Missing API key |
11 | Invalid or revoked key, or domain not verified for sending |
300 | Validation error (missing fields, invalid JSON, etc.) |
403 | From address not allowed — must be your personal mailbox on the key's domain |
406 | SES rejected the message |
Examples
Replace you@yourdomain.com with your personal mailbox on the domain and use your own API key.
curl "https://api.unbox.im/v1/email" \
-H "Authorization: Bearer ubk_live_your_api_key_here" \
-H "Content-Type: application/json" \
-d '{
"From": "you@yourdomain.com",
"To": "user@example.com",
"Subject": "Welcome",
"TextBody": "Thanks for signing up.",
"HtmlBody": "<p>Thanks for signing up.</p>",
"ReplyTo": "you@yourdomain.com",
"Tag": "welcome"
}'Getting started
- Create an Unbox account and add your custom domain.
- Complete all DNS verification steps in Domains.
- Open Domains → your domain → API and generate a domain key.
- Send your first message with the examples above.