Every MailerMonk sub-account can mint up to three API keys. Each key is scoped to that sub-account only, so a key leak never gives an attacker access to any other client's data. Keys are passed via the X-API-Key HTTP header — straightforward, REST-friendly, and easy to plug into GoHighLevel webhooks or your own backend.
This guide covers generating a key, the headers and endpoints you'll use most often, and the rate limits and security defaults you should know about before going to production.
Generate and use your first API key
Open the Settings tab inside the embedded MailerMonk app
Inside any sub-account, open MailerMonk from the left menu and click Settings. The API Keys panel lists every active key for that sub-account along with its label and last-used timestamp.
Create a new key with a descriptive label
Click Create API key and give it a name that describes where it'll be used (e.g. "GHL Workflow — Verify on Create" or "Internal CRM sync"). The full secret is displayed once at creation time and never again — copy it into your secret store immediately.
Authenticate every request with the X-API-Key header
All endpoints require the X-API-Key header. Example: curl -H "X-API-Key: mm_live_…" https://api.mailermonk.com/v1/verify -d '{"email":"jane@acme.com"}'. Requests without a valid key return HTTP 401.
Wire it into a GoHighLevel workflow
Add a Webhook action on the "Contact Created" trigger pointing at https://api.mailermonk.com/v1/verify with the contact's email in the body. The response includes status (valid/invalid/risky/unknown) which you can map to a GoHighLevel tag in the next workflow step.
Rotate keys at least every 90 days
From the Settings panel, click Rotate next to any key. A new secret is issued and the old one continues to work for 24 hours so you have time to update the consumer. After 24 hours the old secret returns 401.
Endpoints you'll use most
POST /v1/verify — single-address verification, returns within ~2s. Body: { "email": "..." }. Response includes status, score, and detected provider.
POST /v1/verify/batch — up to 1,000 addresses per call. Returns a job ID; poll GET /v1/verify/batch/:id for completion. Best for migration scripts and one-off list cleans.
GET /v1/domains/:domain/health — returns SPF / DKIM / DMARC / MX / blocklist status in one call. Cheaper and faster than five separate tool endpoints.
GET /v1/blocklists/:domain — explicit blocklist-only check across the major lists. Use this for hourly polling on critical sending domains.
Rate limits and error handling
Default rate limit is 60 requests/minute per API key for verify endpoints and 600 requests/minute for read-only domain checks. The X-RateLimit-Remaining header is included on every response so you can throttle proactively.
On 429 (rate limited), MailerMonk returns a Retry-After header in seconds. Honour it — retrying immediately will get the key temporarily blocked. On 5xx, retry with exponential backoff up to 3 attempts; everything is idempotent at the request level.
Frequently asked questions
Are API keys scoped to a single sub-account?
Yes. A key minted in sub-account A cannot read or write data for sub-account B, even within the same agency. This is a hard isolation boundary enforced server-side.
What happens if a key is leaked?
Revoke it immediately from the Settings panel — revocation is effective in under a second across all MailerMonk regions. Then rotate any other keys generated by the same person and review the key's request log for unfamiliar IPs.
Can I use the same key from multiple servers?
Yes, but it's a bad practice. One key per consumer makes leaks easier to contain and request logs easier to attribute. The 3-keys-per-sub-account ceiling exists to encourage this without making it painful.
Is there an SDK?
The REST API is the contract; thin TypeScript and Python helpers are on the roadmap. In the meantime any HTTP client works — examples for Node, Python, PHP, and curl are in the docs.
Run a free deliverability audit on your sending domain
MailerMonk's audit checks DMARC alignment, SPF lookups, DKIM keys, MX records, and major blocklists in under a minute. No signup, no card.