TrekMail REST API Overview for Developers

The TrekMail API lets you manage domains, mailboxes, forwarding, DNS, email migrations, and full webmail operations — read, send, draft, schedule, folder management, contacts, calendar, identities, templates, and blocked senders — from any HTTP client or AI agent. Every request uses a bearer token, every response is JSON, and every action is audited.

What you get

• REST API v1 with JSON request/response format.
• Bearer token authentication — no cookies, no sessions.
• Idempotency keys on mutating requests to prevent duplicate operations.
• Per-token rate limiting with Retry-After headers.
• Audit log visible in your dashboard under AI Agents & API → Audit Log.
• MCP server with 192 tools, including 42 Drive tools for files, folders, uploads, share links, bulk operations, sync-device password management, and read-only Drive Add-on status.
• Dual-token architecture — separate ops tokens for infrastructure and message tokens for full email operations (read, send, draft, schedule, contacts, calendar, identities, templates, folders, and more).
• Outbound deliverability + bounce insights — pull the same sent/delivered/hard/soft rollup your dashboard shows, plus per-recipient hard/soft bounces with the receiver's SMTP status code and response. See Deliverability and Bounces.
• Mailbox storage usage — list_mailboxes and get_mailbox now return used_mb, quota_mb, allocation_mb, and is_pooled, so an agent can spot mailboxes approaching their limit without dashboard access.

Drive API and file automation

Drive is now part of the public API surface. The Drive API exposes 43 REST endpoints for Account Drive and mailbox Drive: spaces, usage, folder browsing, uploads, file and folder management, Trash, bulk actions, public share links, sync-device password management (rclone / Cyberduck / X-Plore / DAVx⁵ / Documents / FolderSync), and read-only Drive Storage Add-on status.

Drive uses eleven ops-token scopes: drive:account:read, drive:account:write, drive:account:share, drive:account:purge, drive:mailbox:read, drive:mailbox:write, drive:mailbox:share, drive:mailbox:purge, drive:addon:read, drive:devices:read, and drive:devices:write. Billing actions for the Drive Add-on — purchase, resize, and cancel — remain dashboard-only and are not exposed as API or MCP write operations.

Start with Drive API Overview or the Drive API Quickstart.

Dual-token architecture

The API uses two independent token types. You can use one or both depending on your needs:

Ops tokens and message tokens have separate scopes and separate rate limits. A single agent can use both tokens simultaneously by configuring them in the MCP server environment.

Message tokens are available on Pro and Agency plans.

Before you start

• All plans have API access:
  • Nano — Email Verifier. Add a Drive Storage Add-on and the full Drive API + 42 MCP tools come with it.
  • Starter — Full Drive, full Email Verifier, and read-only across the rest (domains, mailboxes, migrations, tickets, etc.). Writes for those run from the dashboard.
  • Pro / Agency — Everything: read, write, create, delete across every family, plus message tokens for email read/send.
• Connecting an AI agent (Claude / Cursor / Windsurf / etc.)? Open claude.ai/customize/connectors, click + → Add custom connector, and paste https://trekmail.net/mcp. Your browser handles OAuth — no manual token to create. See Connecting AI Agents (MCP) for the full path list (Claude.ai, Claude Desktop, Claude Code, mcp-remote, self-hosted stdio).
• Writing your own integration? Create a tm_live_ token under AI Agents & API → Tokens → Create token and send it as Authorization: Bearer …. See Creating and Managing API Tokens.
• New to the API? Click the Guide button at the top of the AI Agents & API page for an interactive walkthrough of the dashboard — it covers connection methods, token management, and the audit log in about 60 seconds.

How authentication works

Every request must include your token in the Authorization header:

Authorization: Bearer tm_live_abc123...

Ops tokens start with tm_live_ and message tokens start with tm_msg_. Both are shown once at creation. TrekMail stores only the SHA-256 hash — the plaintext cannot be recovered.

If the token is missing, revoked, or expired, the API returns 401 with an unauthenticated error code.

Base URL and versioning

All endpoints live under:

https://trekmail.net/api/v1

The base URL is shown on your AI Agents & API dashboard under Quick Reference. The version is in the URL path. When a v2 is introduced (if ever), v1 will continue to work.

Response format

Successful responses return JSON with a data key for single resources or a paginated list:

{
  "data": [
    { "id": 1, "domain": "example.com", "status": "active" }
  ],
  "links": { "next": "...", "prev": null },
  "meta": { "current_page": 1, "last_page": 1, "total": 1 }
}

Error responses follow a consistent structure:

{
  "error": {
    "code": "unauthenticated",
    "message": "Invalid or expired API token",
    "hint": "Check that your token is correct and has not been revoked.",
    "request_id": "req_abc123",
    "retryable": false
  }
}

Request IDs

Every response includes an X-Request-Id header. You can also pass your own via X-Request-Id in the request — it will be echoed back and logged in the audit trail.

Rate limits

Each token is rate-limited per minute. When you hit the limit, the API returns 429 with a Retry-After header indicating when you can retry.

Destructive operations (delete intents) have an additional daily limit per token and a cooldown between consecutive deletes.

Migration write operations (start, cancel, retry) have a dedicated rate limit of 10 requests per minute per token, plus a server-wide concurrency cap that returns 503 when too many migrations are running globally.

Idempotency

All POST and PUT requests require an Idempotency-Key header. If you send the same key with the same body, the API replays the original response without creating duplicates.

Idempotency-Key: create-mailbox-alice-2024

If you send the same key with a different body, the API returns 409 Conflict.

Mailbox storage allocation

Every endpoint that creates a mailbox or invite — POST /api/v1/mailboxes, /api/v1/mailboxes:bulk, /api/v1/mailboxes/invites, /api/v1/mailboxes/invites:bulk — accepts an optional storage_allocation_mb integer.

Allocations are validated against the live pool minus existing dedicated mailboxes and pending dedicated invites. Bulk endpoints additionally validate the sum of allocations across the batch and reject the entire batch with 422 storage_pool_exceeded if it would over-commit. The pool refreshes when a dedicated mailbox is deleted, when an invite is redeemed (allocation moves to the new mailbox), and when a pending invite expires.

For invites the allocation is recorded on the access code and copied onto the new mailbox at redeem time. If the pool no longer fits the requested allocation at redeem time (e.g. another admin grew their dedicated allocation in the interim), the redeem gracefully downgrades the new mailbox to shared rather than failing — the recipient sees a notice on the success page.

Available endpoints

The Cloudflare endpoints follow the same flow as the dashboard: validate a token, list zones, connect domains, preview the DNS changes, then apply them. Both /cloudflare/preview and /cloudflare/apply accept two optional per-domain controls:

• included_records — an allowlist of which records to touch, keyed by domain ID: { "123": ["mx_primary", "spf_record"] }. Records you leave out are skipped, so you can apply only MX and SPF and come back for DKIM later. Omit the field to apply every record.
• confirmed_conflicts — when preview flags a record that already exists with a different value, list its record ID here (same { domain_id: [record_ids] } shape) to authorise replacing it.

The record IDs (mx_primary, spf_record, dkim_primary, dmarc_main, …) come straight from the preview response, so a typical agent calls preview first and feeds the IDs it wants back into apply:

POST /api/v1/cloudflare/apply
{
  "domain_ids": [123],
  "included_records": { "123": ["mx_primary", "spf_record"] },
  "confirmed_conflicts": { "123": ["dmarc_main"] }
}

Internal support endpoints (HMAC auth)

These endpoints use HMAC-SHA256 authentication (not bearer tokens) and are used by the AI support pipeline:

The OpenAPI specification is available at /api/openapi.json for import into Postman, Insomnia, or code generators.

Quick fixes

• 401 "unauthenticated": Check that the Authorization: Bearer <token> header is present and the token has not been revoked or expired.
• 403 "plan_api_disabled": The requested scope isn't on your plan. Nano covers Email Verifier (and Drive if you've bought the Drive Storage Add-on). Upgrade to Starter or higher for the rest of the API.
• 403 "token_scope_blocked_by_plan": Your token has scopes that are not available on your current plan. Revoke the token and create a new one with allowed scopes.
• 422 "missing_idempotency_key": Add an Idempotency-Key header to POST and PUT requests.
• 429 rate limited: Wait for the duration in the Retry-After header before retrying.

Sending email — body, headers, deliverability

POST /api/v1/messages/send takes the request shape {to, subject, body: {text, html}, attachments, reply_to_message_id, headers}.

• body.text and body.html are both optional, but at least one is required. If you provide only body.text we auto-generate an HTML alternative using <p> paragraphs (blank lines split paragraphs; single newlines become <br>) so the message renders as ordinary email in every modern client. If you need monospace, send the literal <pre>...</pre> in body.html.
• headers is an optional object of user-supplied outbound headers. The whitelist is List-Unsubscribe, List-Unsubscribe-Post, Reply-To, and any X-* custom tracking header. Other names (From, Subject, Message-Id, Authentication-Results, etc.) are platform-managed and rejected with 422. Values containing CR/LF are also rejected (header injection protection). Values are capped at 998 chars per RFC 2822.
• For bulk/automation use cases, see the Bulk-sender deliverability headers section for List-Unsubscribe setup and the account-wide auto_list_unsubscribe toggle.