In Postmark, there are three different kinds of Tokens for authentication with our API and SMTP.
An API Token is a randomly generated alpha-numeric string that’s used to authenticate different things in Postmark. It’s almost like a username and password all rolled into one.
To find the Server API token, head to the API Tokens tab in each of your Servers in Postmark. You can use these tokens for most functions in Postmark, including your default SMTP username and password, all API calls involving sending, querying sent messages, the Bounce API, and many other common tasks. Account Owners and Account Admins can see Server API Tokens for all Servers in an account. Server Admins can also view the Server API Tokens for Servers they are assigned to.
The Account API Token is required for API actions that only the Account Owner and Account Admin have access to. This includes: setting up new Servers, adding new Sender Signatures and creating new Templates. The Account API Token can be found on the API Tokens page in the Account section. Account Owners and Account Admins can see Account API Tokens, while Server Admins and Server Viewers cannot.
An SMTP Token is a way to authenticate SMTP sending through different Streams within Postmark, these can be used in place of the Server API Token. They can be generated within the Settings tab in each of your Outbound Streams in Postmark. The Tokens are unique to the Stream they're generated in. They are made up of two parts that are tied together:
- The Access key acts as the username for the SMTP connection.
- The Secret Key acts as the password for the SMTP connection. After a secret key is generated, it's not visible after the page is reloaded. If the Secret Key is lost, a new SMTP Token will need to be generated.
The Access Key and Secret Key can only be used with the other value they were generated with.