Resources/The Agent API Atlas/Marketing/Postmark

Everything an AI agent can do with the Postmark API.

A reference guide for building AI agents: every method, how to authenticate, and the permissions each one needs.

Endpoints40

AuthenticationServer token

Last updated23 June 2026

Orientation

How the Postmark API works.

The Postmark API is how an app or AI agent works with a Postmark account: sending a transactional or bulk email, sending through a saved template, reading why a message bounced, or searching delivered messages and their opens and clicks. Access is granted through one of two tokens, a server token that reaches one server's mail and stats, and an account token that manages servers, domains, and senders, so the token type sets what a call can touch. Postmark can also push an event when a message is delivered, bounces, or is opened.

40Endpoints

9Capability groups

20Read

20Write

2Permissions

Authentication

Postmark authenticates with a token in a request header, not OAuth. A server token (X-Postmark-Server-Token) is sent for sending mail and reading one server's messages, bounces, and stats; an account token (X-Postmark-Account-Token) is sent for account-level work like servers, domains, and sender signatures. The header name and value are case insensitive, and a missing or wrong token returns 401.

Permissions

Postmark has no granular per-endpoint scopes. The token type is the permission boundary: a server token reaches only the server it belongs to and cannot touch account-level resources, while an account token manages the account but is not used for sending. Access is therefore set by which token an integration holds, not by a list of scopes.

Versioning

Postmark does not version its API with a dated or numbered string, so there is nothing for a request to pin. The API is continuously updated, and notable additions and validation changes are published in dated release notes. An integration follows those notes rather than upgrading a version.

Data model

Postmark is organised around servers and message streams. A server holds a sending and receiving setup with its own token, and within it a message stream separates transactional, broadcast, and inbound mail. Sending returns a MessageID that later joins to delivery, bounce, open, and click records, and a state change is delivered as a webhook payload with a RecordType naming the event.

Connect & authenticate

Connection & authentication methods.

How an app or AI agent connects to Postmark determines what it can reach. There is a route for sending and inspecting mail on one server, a route for managing the account's servers, domains, and senders, and an experimental hosted server that exposes Postmark tools to agents, and each is governed by the token behind it.

Ways to connect

REST API

The REST API takes JSON request bodies, returns JSON, and pages lists with count and offset, at https://api.postmarkapp.com. A call authenticates with a token in a header, either X-Postmark-Server-Token for one server's sending and messages or X-Postmark-Account-Token for account-level resources. The Accept and Content-Type headers are application/json.

Best forConnecting an app or AI agent to Postmark.

Governed byThe token type, server or account.

Docs ↗

MCP server (Postmark Labs)

An open-source Model Context Protocol server published by Postmark (ActiveCampaign) at github.com/ActiveCampaign/postmark-mcp exposes Postmark tools to AI agents and MCP clients like Claude Desktop and Cursor. It is run locally over stdio via npx, configured with a POSTMARK_SERVER_TOKEN, a default sender, and a default message stream. Its tools cover sending mail, templates, message search, bounces, suppressions, delivery stats, server info, and webhooks. It is an experimental Postmark Labs project, not a hosted endpoint, and is MIT licensed.

Best forConnecting an AI agent to Postmark through MCP.

Governed byThe server token in its environment configuration.

Docs ↗

Webhooks

Postmark POSTs a JSON payload to a registered HTTPS endpoint when an event happens, like a delivery, bounce, open, click, spam complaint, or inbound message. The payload carries a RecordType naming the event. The receiver is secured with HTTP Basic auth credentials in the URL or with custom headers, and Postmark retries until it gets a 200, stopping on a 403.

Best forReceiving Postmark events at an app or AI agent.

Governed byThe Basic auth or custom headers on the endpoint.

Docs ↗

SMTP

Postmark also accepts outbound mail over SMTP at smtp.postmarkapp.com, authenticated with a server token as both the username and password, or with a stream-specific SMTP token to target a message stream. SMTP covers sending only; bounces, messages, stats, and account management are reached through the REST API.

Best forSending mail from systems that already speak SMTP.

Governed byThe server or stream-specific SMTP token.

Docs ↗

Authentication

Server API token

A server token authorises sending and reading mail on a single server: sending email, templates, bounces, message search, opens, clicks, suppressions, and outbound stats. It is sent in the X-Postmark-Server-Token header and cannot reach account-level resources. Each server has its own token, so the token both identifies the server and bounds what a call can touch.

TokenServer token (X-Postmark-Server-Token)

Best forSending and inspecting mail on one server.

Docs ↗

Account API token

An account token authorises account-level work: creating and managing servers, domains, and sender signatures, and pushing templates between servers. It is sent in the X-Postmark-Account-Token header and is available to Account Owners and Admins. It is not used for sending mail, and it reaches every server in the account.

TokenAccount token (X-Postmark-Account-Token)

Best forManaging servers, domains, and senders across an account.

Docs ↗

SMTP token

A stream-specific SMTP token sends mail over SMTP into a chosen message stream, used as the SMTP username and password. A server token can also be used directly over SMTP. SMTP tokens cover sending only.

TokenSMTP token (per message stream)

Best forRouting SMTP sends to a specific message stream.

Docs ↗

Capability map

What an AI agent can do in Postmark.

The Postmark API is split into areas an agent can act on, like sending email, managing templates, reading bounces, searching delivered messages, and managing servers and domains. Each area is reached with one of two token types, and a write in some areas sends real mail or changes how an account sends.

Email (send)

4 endpoints

Methods for sending transactional and bulk email, with or without a template.

A write here sends real email to real recipients.

View endpoints →

Templates

6 endpoints

Methods for managing the templates an account sends from.

A write here changes or deletes a template used to send mail.

View endpoints →

Bounces

5 endpoints

Methods for reading bounces and reactivating bounced addresses.

A write here reactivates an address Postmark had deactivated.

View endpoints →

Messages

7 endpoints

Methods for searching delivered and received mail and its opens and clicks.

A write here reprocesses or unblocks an inbound message.

View endpoints →

Suppressions

3 endpoints

Methods for the do-not-send list on a message stream.

A write here adds or removes addresses from the do-not-send list.

View endpoints →

Stats

3 endpoints

Read-only counts of sends, bounces, opens, clicks, and spam complaints.

Read-only; these methods do not change anything.

View endpoints →

Servers

5 endpoints

Account-level methods for the servers that hold sending setups.

A write here creates, changes, or deletes a sending server.

View endpoints →

Domains

4 endpoints

Account-level methods for sending domains and their DKIM and Return-Path setup.

A write here changes how a domain authenticates its mail.

View endpoints →

Sender signatures

3 endpoints

Account-level methods for the verified from-addresses an account sends as.

A write here changes or removes a verified sending identity.

View endpoints →

Endpoint reference

Every Postmark API method.

Filter by method, access, or permission, or search any path. Select a row for version detail, rate limits, the related webhook event, and the source.

Hide deprecated

Method	Endpoint	What it does	Access	Permission	Version
Email (send) Methods for sending transactional and bulk email, with or without a template.4
POST	`/email`	Send a single email message through a server.	write	`Server token`	Current
Needs the server token. Sends real mail; up to 10 MB including attachments. Acts onemail Permission (capability)`Server token` VersionAvailable since the API’s base version Webhook event`delivery` Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/email/batch`	Send up to 500 messages in one call. Returns 200 even when individual messages fail validation.	write	`Server token`	Current
Needs the server token. Each array entry carries its own ErrorCode; check per message. Up to 500 messages, 50 MB. Acts onemail Permission (capability)`Server token` VersionAvailable since the API’s base version Webhook event`delivery` Rate limitUp to 500 messages per call SourceOfficial documentation ↗
POST	`/email/withTemplate`	Send a single email rendered from a saved template, with supplied model data.	write	`Server token`	Current
Needs the server token. References a template by id or alias. Acts onemail Permission (capability)`Server token` VersionAvailable since the API’s base version Webhook event`delivery` Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/email/batchWithTemplates`	Send up to 500 template-rendered messages in one call.	write	`Server token`	Current
Needs the server token. Same batch limits as /email/batch. Acts onemail Permission (capability)`Server token` VersionAvailable since the API’s base version Webhook event`delivery` Rate limitUp to 500 messages per call SourceOfficial documentation ↗
Templates Methods for managing the templates an account sends from.6
GET	`/templates`	List the templates on a server.	read	`Server token`	Current
Read-only. Needs the server token. Acts ontemplate Permission (capability)`Server token` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/templates/{templateIdOrAlias}`	Get a single template by id or alias.	read	`Server token`	Current
Read-only. Needs the server token. Acts ontemplate Permission (capability)`Server token` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/templates`	Create a template on a server.	write	`Server token`	Current
Needs the server token. A server may hold up to 100 templates. Acts ontemplate Permission (capability)`Server token` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
PUT	`/templates/{templateIdOrAlias}`	Edit an existing template.	write	`Server token`	Current
Needs the server token. Changes the template future sends will render. Acts ontemplate Permission (capability)`Server token` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
DELETE	`/templates/{templateIdOrAlias}`	Delete a template from a server.	write	`Server token`	Current
Needs the server token. Sends referencing it by alias then fail. Acts ontemplate Permission (capability)`Server token` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/templates/validate`	Validate template content and preview the rendered result against supplied model data.	read	`Server token`	Current
Does not save anything; validates and previews only. Needs the server token. Acts ontemplate Permission (capability)`Server token` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Bounces Methods for reading bounces and reactivating bounced addresses.5
GET	`/deliverystats`	Get delivery statistics and a summary of bounce counts by type for a server.	read	`Server token`	Current
Read-only. Needs the server token. Acts onbounce Permission (capability)`Server token` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/bounces`	Search bounces on a server, filtering by type, status, tag, and date.	read	`Server token`	Current
Read-only. Returns up to 10,000 results through paging. Needs the server token. Acts onbounce Permission (capability)`Server token` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/bounces/{bounceid}`	Get the details of a single bounce.	read	`Server token`	Current
Read-only. Needs the server token. Acts onbounce Permission (capability)`Server token` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/bounces/{bounceid}/dump`	Get the raw SMTP dump for a bounce.	read	`Server token`	Current
Read-only. Needs the server token. Acts onbounce Permission (capability)`Server token` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
PUT	`/bounces/{bounceid}/activate`	Reactivate a bounced address so Postmark will send to it again.	write	`Server token`	Current
Needs the server token. Re-enables sending to an address Postmark had deactivated. Acts onbounce Permission (capability)`Server token` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Messages Methods for searching delivered and received mail and its opens and clicks.7
GET	`/messages/outbound`	Search outbound messages on a server, filtering by recipient, tag, status, and date.	read	`Server token`	Current
Read-only. Returns up to 10,000 results through paging. Needs the server token. Acts onmessage Permission (capability)`Server token` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/messages/outbound/{messageid}/details`	Get the full details of an outbound message, including body, recipients, and events.	read	`Server token`	Current
Read-only. Needs the server token. Acts onmessage Permission (capability)`Server token` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/messages/outbound/opens`	Search message opens, with client, OS, and geographic detail.	read	`Server token`	Current
Read-only. Requires open tracking on the messages. Needs the server token. Acts onopen Permission (capability)`Server token` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/messages/outbound/clicks`	Search link clicks, with client and location detail.	read	`Server token`	Current
Read-only. Requires link tracking on the messages. Needs the server token. Acts onclick Permission (capability)`Server token` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/messages/inbound`	Search inbound messages received on a server.	read	`Server token`	Current
Read-only. Returns up to 10,000 results through paging. Needs the server token. Acts onmessage Permission (capability)`Server token` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
PUT	`/messages/inbound/{messageid}/retry`	Reprocess a failed inbound message, re-POSTing it to the inbound webhook.	write	`Server token`	Current
Needs the server token. Triggers another inbound webhook delivery. Acts onmessage Permission (capability)`Server token` VersionAvailable since the API’s base version Webhook event`inbound` Rate limitStandard limits apply SourceOfficial documentation ↗
PUT	`/messages/inbound/{messageid}/bypass`	Bypass inbound blocking rules for a message that was held back.	write	`Server token`	Current
Needs the server token. Lets a blocked inbound message through to processing. Acts onmessage Permission (capability)`Server token` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Suppressions Methods for the do-not-send list on a message stream.3
GET	`/message-streams/{stream_id}/suppressions/dump`	List the suppressed addresses on a message stream, with the reason each is inactive.	read	`Server token`	Current
Read-only. Needs the server token. Acts onsuppression Permission (capability)`Server token` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/message-streams/{stream_id}/suppressions`	Add up to 50 addresses to a stream's do-not-send list.	write	`Server token`	Current
Needs the server token. Stops future sends to those addresses on the stream. Acts onsuppression Permission (capability)`Server token` VersionAvailable since the API’s base version Webhook event`subscription-change` Rate limitUp to 50 addresses per call SourceOfficial documentation ↗
POST	`/message-streams/{stream_id}/suppressions/delete`	Remove up to 50 addresses from a stream's do-not-send list, reactivating them.	write	`Server token`	Current
Needs the server token. SpamComplaint suppressions cannot be removed. Acts onsuppression Permission (capability)`Server token` VersionAvailable since the API’s base version Webhook event`subscription-change` Rate limitUp to 50 addresses per call SourceOfficial documentation ↗
Stats Read-only counts of sends, bounces, opens, clicks, and spam complaints.3
GET	`/stats/outbound`	Get an overview of outbound stats: sends, bounces, opens, clicks, and spam complaints.	read	`Server token`	Current
Read-only. Needs the server token. Acts onstat Permission (capability)`Server token` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/stats/outbound/bounces`	Get total counts of sent emails that bounced.	read	`Server token`	Current
Read-only. Needs the server token. Acts onstat Permission (capability)`Server token` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/stats/outbound/opens`	Get total counts of recipients who opened emails.	read	`Server token`	Current
Read-only. Needs the server token. Acts onstat Permission (capability)`Server token` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Servers Account-level methods for the servers that hold sending setups.5
GET	`/servers`	List the servers on the account.	read	`Account token`	Current
Read-only. Needs the account token, not a server token. Acts onserver Permission (capability)`Account token` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/servers/{serverid}`	Get the details of a single server.	read	`Account token`	Current
Read-only. Needs the account token. Acts onserver Permission (capability)`Account token` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/servers`	Create a server, which provisions a new sending setup and its server token.	write	`Account token`	Current
Needs the account token. Mints a new server token an integration could then send with. Acts onserver Permission (capability)`Account token` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
PUT	`/servers/{serverid}`	Edit a server's settings, like its name, tracking, and webhook URLs.	write	`Account token`	Current
Needs the account token. Can change where events are POSTed. Acts onserver Permission (capability)`Account token` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
DELETE	`/servers/{serverid}`	Delete a server from the account.	write	`Account token`	Current
Needs the account token. Removes the server and invalidates its token. Acts onserver Permission (capability)`Account token` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Domains Account-level methods for sending domains and their DKIM and Return-Path setup.4
GET	`/domains`	List the sending domains on the account with their authentication status.	read	`Account token`	Current
Read-only. Needs the account token. Acts ondomain Permission (capability)`Account token` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/domains`	Add a sending domain to the account.	write	`Account token`	Current
Needs the account token. The domain must then pass DKIM and Return-Path checks. Acts ondomain Permission (capability)`Account token` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
PUT	`/domains/{domainid}/verifyDkim`	Verify the DKIM DNS records for a domain.	write	`Account token`	Current
Needs the account token. Changes how the domain authenticates its mail. Acts ondomain Permission (capability)`Account token` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/domains/{domainid}/rotatedkim`	Create a new DKIM key to replace the current one for a domain.	write	`Account token`	Current
Needs the account token. Requires updating DNS before the new key is active. Acts ondomain Permission (capability)`Account token` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Sender signatures Account-level methods for the verified from-addresses an account sends as.3
GET	`/senders`	List the sender signatures, the verified from-addresses on the account.	read	`Account token`	Current
Read-only. Needs the account token. Acts onsignature Permission (capability)`Account token` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/senders`	Create a sender signature for a from-address, which sends a confirmation email.	write	`Account token`	Current
Needs the account token. The address must confirm before it can send. Acts onsignature Permission (capability)`Account token` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
DELETE	`/senders/{signatureid}`	Delete a sender signature from the account.	write	`Account token`	Current
Needs the account token. Removes a verified sending identity. Acts onsignature Permission (capability)`Account token` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗

No endpoints match those filters.

Webhooks

Webhook events.

Postmark can notify an app when something happens to a message, like a delivery confirming, an address bouncing, a recipient opening an email or clicking a link, or a spam complaint arriving. It POSTs a JSON payload with a RecordType naming the event, so an integration learns about activity without polling.

Event	What it signals	Triggered by
`Delivery`	A message was accepted by the recipient's mail server. Postmark POSTs a payload with RecordType Delivery.	`/email` `/email/batch` `/email/withTemplate`
`Bounce`	A message could not be delivered and bounced, for example a hard bounce or a spam block. The payload carries the bounce Type and the affected address.	`/email` `/email/batch` `/email/withTemplate`
`SpamComplaint`	A recipient marked a delivered message as spam, which deactivates the address for future sends.	`/email` `/email/batch` `/email/withTemplate`
`Open`	A recipient opened a message that had open tracking enabled. The payload includes client, OS, and geographic detail.	`/email` `/email/withTemplate`
`Click`	A recipient clicked a tracked link in a message that had link tracking enabled.	`/email` `/email/withTemplate`
`SubscriptionChange`	A recipient's suppression status changed, for example an unsubscribe or a reactivation, on a broadcast stream.	`/message-streams/{stream_id}/suppressions` `/message-streams/{stream_id}/suppressions/delete`
`Inbound`	An email arrived at an inbound address. Postmark parses it and POSTs the parsed message, including headers and attachments, to the inbound webhook URL.	`/messages/inbound/{messageid}/retry`

No events match that search.

Rate limits & pagination

Rate limits, pagination & request size.

Postmark does not publish a fixed request rate, but it returns a 429 response when calls arrive faster than acceptable use allows, and it caps batch sends, search results, and payload size.

Request rate

Postmark does not publish a fixed request rate. It returns HTTP 429 (Rate Limit Exceeded) when requests arrive faster than acceptable use allows, with guidance to slow the query rate. The clearer ceilings are on volume per call: a batch send takes at most 500 messages, and a message search returns at most 10,000 results.

Pagination

List and search endpoints use offset pagination through count and offset query parameters, where count sets the page size and offset skips ahead. A search returns a TotalCount alongside the page, and the documented maximum reachable through a single search is 10,000 messages.

Request size

A single email may carry up to 10 MB including attachments, while a batch request may carry up to 50 MB. A batch is capped at 500 messages, and a server may hold up to 100 templates.

Errors

Status codes & error handling.

The status codes an agent should handle, and what to do about each.

Status	Code	Meaning	What to do
401	`Unauthorized`	The API token in the header is missing or incorrect, or the wrong token type was used for the endpoint, like a server token on an account-level call.	Send the correct token for the area: a server token for sending and messages, an account token for servers, domains, and senders.
422	`Unprocessable Entity (ErrorCode)`	The request was understood but rejected, like malformed JSON, an invalid field, an inactive recipient, or a missing sender signature. The body is { ErrorCode, Message } where ErrorCode is a Postmark-specific number.	Branch on ErrorCode, fix the named field or sender, and resend. The request is not retryable as-is.
429	`Rate Limit Exceeded`	Requests arrived faster than acceptable use of the API allows.	Slow the request rate and retry with backoff.
500	`Internal Server Error`	A Postmark-side error occurred while processing the request. In most cases the message is lost during processing.	Retry with backoff, and contact Postmark support if it persists.
503	`Service Unavailable`	Postmark API services are returning this during a planned outage, with an associated JSON body.	Wait and retry; check the Postmark status page for the maintenance window.

Versioning & freshness

Version history.

Postmark does not use dated API versions. There is a single, continuously updated API, and notable changes ship through dated release notes rather than a version string a request can pin.

Version history

What changed, and when

Latest versionCurrent

CurrentCurrent version

Continuously updated API (no version string)

Postmark serves a single, continuously updated API with no dated or numbered version a request can pin. Notable additions and validation changes ship through dated release notes, so an integration follows those notes rather than upgrading a version.

What changed

March 2026: Bulk API, sending one message to many recipients in a single call.
June 2025: experimental Postmark Labs MCP server for AI assistants.
No version string to pin; changes are tracked through release notes.

2023-12

Data Removal API

An account-level API to erase recipient data for GDPR and CCPA compliance, automating data removal requests.

What changed

Programmatic erasure of recipient data.
Supports compliance workflows.

2023-10

Stricter Email API validation

Validation of request headers and JSON body structure was tightened, so previously tolerated malformed requests now return a 422.

What changed

Stricter header and JSON body validation.
Some previously accepted requests now rejected with ErrorCode.

2023-07

Static IP allowlisting deprecated

The API is no longer accessed through static IP allowlisting, changing how locked-down networks reach Postmark.

What changed

Static IP allowlisting for API access removed.

2021-02

Suppressions API reactivation

The Suppressions API gained the ability to reactivate addresses suppressed by an unsubscribe, alongside searching inactive addresses and their reason.

What changed

Reactivate previously unsubscribed recipients.
Search inactive addresses and see the suppression reason.

2019-11

Modular Webhooks API

A dedicated /webhooks endpoint was introduced to create and manage event subscriptions, replacing per-event server settings.

What changed

Manage webhook subscriptions through the API.
Separate webhook configuration per message stream.

There is nothing to pin; an integration tracks the dated release notes for changes.

Postmark API updates ↗

Questions

Postmark API, answered.

What is the difference between the server token and the account token?+

A server token (X-Postmark-Server-Token) belongs to one server and is used for sending email and reading that server's messages, bounces, opens, clicks, and stats. An account token (X-Postmark-Account-Token) covers account-level work like creating servers, managing domains, and managing sender signatures, and is not used to send mail. The token type is the access boundary, so an integration uses whichever token matches the area it needs.

Does Postmark have per-endpoint scopes or permissions?+

No. Postmark has no granular scope system. The only permission boundary is the token type: a server token reaches one server's mail and stats, an account token reaches account-level resources. There is no way to narrow a token to, for example, read-only or to a single endpoint, so access is set entirely by which token is held.

How does the batch endpoint report failures?+

The /email/batch endpoint returns a 200-level status even when individual messages fail validation. The response is an array, one entry per message, and each entry carries its own ErrorCode and Message. An integration checks each entry rather than relying on the overall HTTP status, because a 200 does not mean every message in the batch was accepted.

How are errors returned?+

A failed request returns an HTTP status, and a validation failure returns 422 with a JSON body of ErrorCode and Message, where ErrorCode is a Postmark-specific number for programmatic handling. A 401 means a missing or wrong token, 429 means the request rate was too high, 500 means a Postmark-side error, and 503 means a planned outage. The ErrorCode is what an integration should branch on, not the message text.

How do Postmark webhooks work?+

Postmark POSTs a JSON payload to a registered URL when an event happens, like a delivery, bounce, open, click, spam complaint, subscription change, or inbound message. The payload includes a RecordType field naming the event. Webhooks are secured with HTTP Basic auth credentials in the URL or custom headers, and Postmark retries delivery until it receives a 200, stopping on a 403.

Does Postmark version its API?+

No. There is a single, continuously updated API with no dated or numbered version a request can pin. Notable changes, like the stricter request validation introduced in October 2023, ship through dated release notes. An integration follows those notes for changes rather than selecting a version.

What is Bollard AI?

Control what every AI agent can do in Postmark.

Bollard AI sits between a team's AI agents and Postmark. Grant each agent exactly the access it needs, read or write, area by area, and every call is checked and logged.

Set read, write, or full access per agent, never a shared Postmark token.
Denied by default, so an agent reaches only what has been explicitly allowed.
Every call recorded in plain English: who, what, where, and the decision.

Control Postmark access in Bollard Browse all APIs →

Postmark

Transactional Email Agent

Send email ActionOffReadFull use

Read bounces ResourceOffReadFull use

Manage servers ResourceOffReadFull use

Per-agent access, set in Bollard AI, not in Postmark

How the Postmark API works.

Connection & authentication methods.

REST API

MCP server (Postmark Labs)

Webhooks

SMTP

Server API token

Account API token

SMTP token

What an AI agent can do in Postmark.

Email (send)

Templates

Bounces

Messages

Suppressions

Stats

Servers

Domains

Sender signatures

Every Postmark API method.

Email (send)

Templates

Bounces

Messages

Suppressions

Stats

Servers

Domains

Sender signatures

Webhook events.

Rate limits, pagination & request size.

Request rate

Pagination

Request size

Status codes & error handling.

Version history.

What changed, and when

Postmark API, answered.

More marketing API guides for agents

Constant Contact

Campaign Monitor

GetResponse

MailerLite

Mailgun

Braze

Control what every AI agent can do in Postmark.