API referencev1 · stable

Single call. Decisive verdict.

The Postelist API is a REST endpoint that returns a binary verdict — deliverable or invalid— for any email address you hand it. JSON in, JSON out, bearer-authenticated, rate-limited per key.

Base URL
https://app.postelist.com
Content type
application/json
Auth
Authorization: Bearer pl_live_…
01

Overview

The API exposes one verification endpoint today. It accepts a single email address and returns a classification decided by the same validator the dashboard uses — no separate ruleset, no silent downgrade. All responses carry Cache-Control: no-store and a X-RateLimit-Remaining header.

Current surface
POST /api/v1/validate— verify a single address. Bulk submission and webhook notifications are on the roadmap.
02

Authentication

Every API call must carry a bearer token in the Authorizationheader. Tokens are issued from the dashboard and are shown once on creation — only the SHA-256 digest is stored server-side, so a lost key cannot be recovered, only revoked and replaced.

Authorization: Bearer pl_live_a1b2c3d4e5f6…

Creating a key

  1. Sign in to your dashboard.
  2. Open the API keys panel.
  3. Name the key (e.g. production-api), hit Generate, and copy the plaintext token immediately. It will never be shown again.
  4. Paste it into your server’s secret store. Never commit keys to source control or ship them in client-side bundles.

Key details

Prefixpl_live_ followed by 32 bytes of base64url entropy
StorageSHA-256 hash only; plaintext is never persisted
Scopevalidate:single (issued by default)
LimitTen active keys per account. Revoke before creating new ones.
RevocationInstant from the dashboard. Subsequent calls return 401.
03

Rate limits

Each key carries its own token bucket. You can burst up to ten requests immediately, and the bucket refills at one request per second thereafter. Limits are enforced per key, not per account — high-volume services should use a dedicated key.

Burst10 requests
Sustained1 request per second
Success headerX-RateLimit-Remaining: <integer>
Exceeded429 Too Many Requests with Retry-After: <seconds>

Clients should honour Retry-Afterwith a sleep or queue — retrying immediately will simply 429 again.

04

Errors

Every error response is JSON with a single error key describing what went wrong. No stack traces, no PII.

{ "error": "Missing bearer token" }
StatusMeaningTypical cause
400Bad requestMalformed JSON body, missing or non-string email, address fails syntax check.
401UnauthenticatedMissing bearer token, token does not match any key, key revoked, or key expired. Response carries aWWW-Authenticate challenge.
403Insufficient scopeKey exists but its scope list excludes validate:single. Body also carries required.
405Method not allowedOnly POST is accepted on /api/v1/validate.
429Rate limitedBucket exhausted for this key. Back off per Retry-After.
503Validator unavailableThe verification daemon is momentarily unreachable. Safe to retry.
05

Validate an email

POST/api/v1/validate

Verifies a single email address. The validator attempts up to three SMTP handshakes before returning — uncertain probes are resolved into a definitive invalid rather than exposed to the client.

Request body

FieldTypeRequiredDescription
emailstringyesAddress to verify. Maximum 254 characters; rejected with 400 if it fails syntax check.

Response body

FieldTypeDescription
emailstringThe address that was verified (normalised by the validator).
classification"deliverable" | "invalid"Final verdict. See Classifications.

Example

Request
curl https://app.postelist.com/api/v1/validate \
  -H "Authorization: Bearer pl_live_a1b2c3d4e5f6…" \
  -H "Content-Type: application/json" \
  -d '{"email": "ada@postelist.com"}'
200 OKResponse
{
  "email": "ada@postelist.com",
  "classification": "deliverable"
}
06

Classifications

The API returns one of two values. There is no risky, no catch-all, no unknown— probes that cannot be resolved after retries are recorded as invalid rather than handed back as a maybe.

  • deliverable

    The receiving mail server confirmed the mailbox exists and is accepting mail. Safe to send.

  • invalid

    The mailbox does not exist, the domain does not accept mail, or the address could not be confirmed after three attempts. Do not send.

07

Roadmap

Two additions are planned. When they ship, they will be documented here with the same precision as the rest of this reference.

  • Bulk submission

    POST /api/v1/jobs to hand off a list of addresses, with a polling endpoint to stream results back as JSON or CSV.

  • Webhook callbacks

    HMAC-signed POST to a URL of your choosing when a bulk job finishes. Idempotent; retried on transient failure.