Cleanbox
Features Blog Pricing Developers
Sign in Start free trial

API keys and developer access

The Cleanbox REST API gives you programmatic access to your team's aliases, contacts, messages, filters, domains, relay, cloud storage, and quarantine. This article explains how to enable API access, authenticate, and get started with your first request.

Enabling the API

  1. Go to Developer in the sidebar
  2. Toggle Enable API access

When you enable the API, it becomes active for your entire team. All team members share the same API token. Only the team owner can enable or disable API access.

Your API key

After enabling the API, your key is displayed in a masked format (first 8 characters visible). You can:

  • Show token — Reveals the full API key. Keep this secret — anyone with the key has access to your team's data.
  • Regenerate — Creates a new API key and invalidates the old one immediately. Use this if your key is compromised.

Base URL and authentication

All API requests use the base URL:

https://api.cleanbox.app/v1

Every request requires a Bearer token in the Authorization header:

Authorization: Bearer your_api_key_here

Rate limiting

The API is rate-limited to prevent abuse. Rate limit information is included in every response via headers:

HeaderDescription
X-RateLimit-LimitMaximum requests allowed per window
X-RateLimit-RemainingRequests remaining in current window
X-RateLimit-ResetSeconds until the rate limit resets

If you exceed the limit, the API returns a 429 Too Many Requests error. Wait for the reset window before retrying.

Available resources

The API provides access to all core Cleanbox features:

ResourceEndpointsWhat you can do
TeamGETGet team info, usage stats, limits, and subscription details
AddressesGET, PUT, PATCH, DELETEList, update, toggle, and delete aliases and relay addresses
AliasesPOSTCreate new aliases (named or random)
ContactsGET, PUTList, search, update state and category
MessagesGETList, search, view details, download raw email, get spam reports and attachments
QuarantineGET, POSTList quarantined messages, bulk accept or reject
DomainsGETList domains and get verification details
FiltersGET, PATCHList filters with rules, toggle active state
RelayGETList relay domains and protected addresses
MailboxesGET, PATCHList mailboxes, toggle active state
CloudGET, DELETEBrowse files by contact, download or delete
CategoriesGETList all 20 contact categories

Example: creating a new alias

Here is a complete example of creating a new alias using curl:

curl -X POST https://api.cleanbox.app/v1/aliases 
  -H "Authorization: Bearer your_api_key_here" 
  -H "Content-Type: application/json" 
  -d '{"name": "shopping", "mailbox": "a1b2c3d4-...", "label": "Online shops"}'

Response:

{
    "success": true,
    "alias": {
        "uuid": "e5f6g7h8-...",
        "address": "shopping@cleanbox.me",
        "label": "Online shops",
        "active": true,
        "mailbox": "user@gmail.com"
    }
}

To create a random alias instead:

curl -X POST https://api.cleanbox.app/v1/aliases/random 
  -H "Authorization: Bearer your_api_key_here" 
  -H "Content-Type: application/json" 
  -d '{"mailbox": "a1b2c3d4-..."}'

Example: blocking a contact

curl -X PUT https://api.cleanbox.app/v1/contacts/c1d2e3f4-... 
  -H "Authorization: Bearer your_api_key_here" 
  -H "Content-Type: application/json" 
  -d '{"state": "blocked"}'

Error handling

All errors return a consistent JSON format:

{
    "success": false,
    "error": {
        "message": "Description of what went wrong",
        "code": "error_code"
    }
}
CodeMeaning
400Bad request — invalid or missing parameters
401Unauthorized — missing or invalid API key
403Forbidden — insufficient permissions or limit reached
404Not found — resource does not exist
410Gone — message content no longer available (retention expired)
429Too many requests — rate limit exceeded

Access restrictions

  • API access is available to the team owner only
  • The API key is team-scoped — it accesses all resources within the team
  • Regenerating the key invalidates the old key immediately
  • API actions are not currently logged in the activity log

Full API reference

For the complete endpoint documentation with all parameters, request/response examples, and detailed descriptions, see the API Reference on our website.