Skip to main content
Every request to the UGMail Management API must be authenticated with a tenant-scoped Bearer token. This token identifies your account, enforces access control, and ensures that operations you perform are isolated to your tenant. There are no API keys, OAuth flows, or rotating secrets to manage — one token covers all Management API endpoints.

Get your Bearer token

Sign in to your UGMail account at my.ugmail.co, then navigate to Settings → API Connection. Your Bearer token is displayed on that page. Click the copy button to grab it.
Your Bearer token grants full management access to your UGMail tenant — including the ability to delete domains and mailboxes. Never commit it to version control, hardcode it in client-side code, or share it in public forums. Store it in an environment variable or a secrets manager such as AWS Secrets Manager, HashiCorp Vault, or your CI/CD platform’s secret store.

Use the token in requests

Include the token in the Authorization header of every Management API request using the Bearer scheme:
The examples below show how to do this in curl, Python, and Node.js.

Error responses

If your token is missing, malformed, or invalid, the API returns one of the following error responses. A 401 response body looks like this:
The Management API does not use session cookies or HTTP Basic auth. If you have previously used another email API that relies on username/password authentication, note that UGMail’s Management API exclusively uses Bearer tokens. SMTP, IMAP, and other protocol connections do use per-mailbox username/password credentials — see the Protocols Overview for details.

Rotate your token

If you believe your token has been compromised or you want to rotate it as part of a routine security practice, return to Settings → API Connection in my.ugmail.co and generate a new token. Your previous token is invalidated immediately upon rotation.
Update every environment — local development, staging, and production — in quick succession after rotating. Because the old token is invalidated immediately, any service still using it will begin returning 401 Unauthorized errors until you deploy the new token.

Next steps

Quickstart

Walk through creating a domain and mailbox using your token.

API Reference

Browse every authenticated endpoint in the Management API.
Last modified on July 17, 2026