Stitchflow
Back to directory
Postmark logo

Postmark User Management API Guide

API workflow

How to automate user lifecycle operations through APIs with caveats that matter in production.

UpdatedMar 11, 2026

Summary and recommendation

Postmark's API is split across two distinct token types: the Account API token (account-wide operations: servers, sender signatures, domains) and the Server API token (per-server operations: sending, templates, message streams). Using the wrong token type returns a 401 with no further detail, which is the most common integration error.

There is no OAuth 2.0 flow; all authentication is static token-based via the X-Postmark-Account-Token or X-Postmark-Server-Token HTTP header.

Critically, Postmark has no user or member management API. Account team members can only be added or removed via the web UI; there are no REST endpoints for user provisioning, role assignment, or deprovisioning.

Any identity graph that models Postmark access must treat the web UI as the sole authoritative source for team membership state, with no programmatic sync path available.

API quick reference

Has user APINo
Auth methodAPI token via HTTP header (X-Postmark-Account-Token or X-Postmark-Server-Token)
Base URLOfficial docs
SCIM availableNo
SCIM plan requiredEnterprise

Authentication

Auth method: API token via HTTP header (X-Postmark-Account-Token or X-Postmark-Server-Token)

Setup steps

  1. Log in to Postmark account at postmarkapp.com.
  2. For account-level operations (servers, sender signatures, domains): navigate to Account > API Tokens and copy the Account API token.
  3. For server-level operations (sending email, message streams): navigate to the specific Server > API Tokens and copy the Server API token.
  4. Pass the token in the request header: 'X-Postmark-Account-Token: ' or 'X-Postmark-Server-Token: '.
  5. Set 'Accept: application/json' and 'Content-Type: application/json' headers on all requests.

User object / data model

User object field mapping is not yet verified for this app.

Core endpoints

List Servers

  • Method: GET
  • URL: https://api.postmarkapp.com/servers
  • Watch out for: Requires Account API token, not Server token.

Request example

GET /servers?count=10&offset=0
X-Postmark-Account-Token: <account-token>
Accept: application/json

Response example

{
  "TotalCount": 2,
  "Servers": [
    {"ID": 1, "Name": "MyServer", "ApiTokens": ["xxx"]}
  ]
}

Get Server

  • Method: GET
  • URL: https://api.postmarkapp.com/servers/{serverid}
  • Watch out for: Server ID is numeric, not a slug.

Request example

GET /servers/12345
X-Postmark-Account-Token: <account-token>

Response example

{
  "ID": 12345,
  "Name": "Production",
  "Color": "red",
  "SmtpApiActivated": true
}

Create Server

  • Method: POST
  • URL: https://api.postmarkapp.com/servers
  • Watch out for: Basic plan is limited to 10 servers; Pro/Platform plans remove this limit.

Request example

POST /servers
X-Postmark-Account-Token: <account-token>

{"Name": "NewServer", "Color": "blue"}

Response example

{
  "ID": 99,
  "Name": "NewServer",
  "ApiTokens": ["new-token-xxx"]
}

Edit Server

  • Method: PUT
  • URL: https://api.postmarkapp.com/servers/{serverid}
  • Watch out for: Full PUT semantics; omitted fields revert to defaults.

Request example

PUT /servers/12345
X-Postmark-Account-Token: <account-token>

{"Name": "UpdatedName"}

Response example

{
  "ID": 12345,
  "Name": "UpdatedName"
}

Delete Server

  • Method: DELETE
  • URL: https://api.postmarkapp.com/servers/{serverid}
  • Watch out for: Deleting a server is irreversible and removes all associated message history.

Request example

DELETE /servers/12345
X-Postmark-Account-Token: <account-token>

Response example

{
  "ErrorCode": 0,
  "Message": "Server deleted."
}

List Sender Signatures

  • Method: GET
  • URL: https://api.postmarkapp.com/senders
  • Watch out for: Sender signatures must be confirmed via email before use.

Request example

GET /senders?count=50&offset=0
X-Postmark-Account-Token: <account-token>

Response example

{
  "TotalCount": 1,
  "SenderSignatures": [
    {"ID": 1, "EmailAddress": "sender@example.com", "Confirmed": true}
  ]
}

Create Sender Signature

  • Method: POST
  • URL: https://api.postmarkapp.com/senders
  • Watch out for: A confirmation email is sent; the signature cannot be used until confirmed.

Request example

POST /senders
X-Postmark-Account-Token: <account-token>

{"FromEmail": "new@example.com", "Name": "My Sender"}

Response example

{
  "ID": 55,
  "EmailAddress": "new@example.com",
  "Confirmed": false
}

List Domains

  • Method: GET
  • URL: https://api.postmarkapp.com/domains
  • Watch out for: Domain-level DKIM/SPF verification status is read-only; verification is triggered separately.

Request example

GET /domains?count=50&offset=0
X-Postmark-Account-Token: <account-token>

Response example

{
  "TotalCount": 1,
  "Domains": [
    {"ID": 10, "Name": "example.com", "SPFVerified": true, "DKIMVerified": true}
  ]
}

Rate limits, pagination, and events

  • Rate limits: Postmark enforces rate limits per server token. Exceeding limits returns HTTP 429. No publicly documented per-plan tier differences in rate limits.
  • Rate-limit headers: No
  • Retry-After header: No
  • Rate-limit notes: Postmark does not publish specific numeric rate limits in official docs. Retry with exponential backoff on HTTP 429 responses. Bulk sending should use batch endpoints (up to 500 messages per request).
  • Pagination method: offset
  • Default page size: 100
  • Max page size: 500
  • Pagination pointer: offset / count
Plan Limit Concurrent
All plans Not publicly specified; 429 returned on excess 0
  • Webhooks available: Yes
  • Webhook notes: Postmark supports inbound and outbound webhooks configured per server/message stream. Outbound webhooks fire on email delivery events. Inbound webhooks POST parsed inbound email payloads to a configured URL.
  • Alternative event strategy: Webhooks can also be configured via the Account API: POST /webhooks on a server.
  • Webhook events: Delivery, Bounce, SpamComplaint, Open, Click, SubscriptionChange, Inbound (parsed inbound email)

SCIM API status

  • SCIM available: No
  • SCIM version: Not documented
  • Plan required: Enterprise
  • Endpoint: Not documented

Limitations:

  • Postmark does not offer a SCIM API as of the current documentation review.
  • No SSO or IdP integration (Okta, Entra, Google Workspace, OneLogin) is officially supported.
  • User management within Postmark accounts is handled manually via the web UI; there is no REST endpoint for managing account users/members.

Common scenarios

Three primary automation scenarios are well-supported by the API. First, provisioning a new sending server: POST to https://api.postmarkapp.com/servers with the Account API token, then parse the response for ID and ApiTokens[0] and store the server token securely. Basic plan accounts are hard-capped at 10 servers; a creation attempt beyond that limit returns an error.

Second, adding and verifying a sender signature: POST to https://api.postmarkapp.com/senders with the Account API token. The confirmation email is sent to the From address itself - if that mailbox does not exist or is unmonitored, confirmation will never complete. Poll GET /senders/{id} until Confirmed is true before using the address in any send operation.

Third, enumerating servers and auditing webhook configurations: GET https://api.postmarkapp.com/servers?count=500&offset=0 to retrieve all servers, then GET https://api.postmarkapp.com/webhooks?server_id={id} per server. Webhook configurations are per-server and per-message-stream; a server with multiple message streams requires separate webhook entries per stream.

Provision a new sending server and retrieve its API token

  1. POST https://api.postmarkapp.com/servers with Account API token and body {"Name": "ClientX-Production", "Color": "green"}.
  2. Parse the response to extract 'ID' and 'ApiTokens[0]' for the new server.
  3. Store the server API token securely for use in sending operations.

Watch out for: Basic plan accounts are capped at 10 servers. Attempting to create an 11th returns an error. Upgrade to Pro/Platform to remove this limit.

Add and verify a sender signature for a new domain

  1. POST https://api.postmarkapp.com/senders with Account API token and body {"FromEmail": "noreply@newdomain.com", "Name": "New Domain Sender"}.
  2. Instruct the domain owner to click the confirmation link sent to noreply@newdomain.com.
  3. Poll GET https://api.postmarkapp.com/senders/{id} until 'Confirmed' is true before using the address in sends.

Watch out for: The confirmation email is sent to the From address itself; if the mailbox does not exist or is not monitored, confirmation will never complete.

Enumerate all servers and their webhook configurations

  1. GET https://api.postmarkapp.com/servers?count=500&offset=0 with Account API token to retrieve all servers.
  2. For each server ID, GET https://api.postmarkapp.com/webhooks?server_id={id} using the Account API token to list configured webhooks.
  3. Compare webhook URLs and event types against expected configuration; use PUT /webhooks/{id} to update or POST /webhooks to create missing ones.

Watch out for: Webhook endpoints are per-server and per-message-stream; a server with multiple message streams requires separate webhook configurations per stream.

Why building this yourself is a trap

The most significant architectural caveat for any integration is the complete absence of a user management API. Postmark cannot be included in automated identity graph workflows for provisioning or deprovisioning team members; those operations are UI-only.

Any tooling - including an MCP server with 60+ deep IT/identity integrations - that attempts to model Postmark's identity surface must account for this gap explicitly and fall back to manual steps for all user lifecycle events.

Additional caveats to surface early: the Edit Server endpoint uses full PUT semantics, meaning omitted fields revert to defaults rather than being preserved. Deleting a server via API is permanent and removes all associated message history with no recovery path.

Postmark does not publish numeric rate limits; implement exponential backoff on HTTP 429 responses and use batch endpoints (up to 500 messages per request) for bulk sending to reduce exposure to undocumented thresholds.

Automate Postmark workflows without one-off scripts

Stitchflow builds and maintains end-to-end IT automation across your SaaS stack, including apps without APIs. Built for exactly how your company works, with human approvals where they matter.

Every app coverage, including apps without APIs
60+ app integrations plus browser automation for apps without APIs
IT graph reconciliation across apps and your IdP
Less than a week to launch, maintained as APIs and admin consoles change
SOC 2 Type II. ~2 hours of your team's time
Book a Demo

UpdatedMar 11, 2026

* Details sourced from official product documentation and admin references.

Keep exploring

Related apps

6sense logo

6sense

Manual Only
AutomationNot Supported
Last updatedFeb 2026

6sense user management lives entirely in Settings > User Management (https://analytics.6sense.com/settings/user-management). The platform uses a role-based access control model scoped per product module — ABM, Sales Intelligence (SI), and Conversationa

Admin guideAPI guide
Alkami logo

Alkami

Manual Only
AutomationNot Supported
Last updatedMar 2026

Alkami is an enterprise-only digital banking platform sold exclusively to financial institutions such as banks and credit unions. It is not a general-purpose SaaS tool, and its admin and user-management documentation is not publicly available. Independ

Admin guideAPI guide
AmazingHiring logo

AmazingHiring

Manual Only
AutomationNot Supported
Last updatedMar 2026

AmazingHiring is a recruiter-facing sourcing platform sold on a pay-per-seat, annual billing model. There is no native SCIM support and no publicly documented IdP integration, which means every app lifecycle event — onboarding, role change, offboarding

Admin guideAPI guide