Page tree

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.



The content of this page applies to all the methods of MailUp REST API except for the Transactional APIs, which do not use OAUTH OAuth 2.0

Before you start

MailUp REST API follows OAuth 2.0 specification and authorizes only the applications that specify a pair of valid access keys ("Client ID" and "Client Secret") in the authentication process. 

First, get your API access keys

To get your access keys, you must register your application by following the procedure that is described here.


Make sure you clearly understand the role of access keys, developer accounts, and MailUp user credentials. These notes should be useful:

  • API access keys identify a software application (e.g. a plugin for Salesforce that uses MailUp REST API).
    • Access keys are used according to the roles of "client ID" and "client secret" in OAUTH 2.0 specifications.
    • You can use them with any MailUp account, regardless of the account they were created from.
    • By requesting a pair of keys, you register your application. So you have to provide details about it and its author.
  • A developer account is a free platform that could be requested to MailUp in case your regular account does not let you generate the API access keys.
    • A developer account cannot be converted into a production account and you cannot purchase a subscription plan for it. Use it just for the purposes stated above. 
  • User credentials are the username and the password that identify an a user of a specific MailUp account
    • When you start using an application, you are asked to provide the credentials of the MailUp account your application has to be connected to. Only at this moment, you are linking a pair of access keys to a MailUp user
    • Since the allowed relationships between access keys and MailUp users are "many-to-many", you can use the same access keys with several MailUp accounts.


Once you get the access keys and you have in mind the basic concepts stated above, you are ready to start developing your application. Authentication with OAuth 2.0 is not a walk in the park, the recommended approach is to check out a piece of working code form from Samples and Wrappers.

Anyway, if you are not familiar with any of the programming language languages of our samples, or if you want to know more, you can have a look at the section below.


Depending on how authorization requests are made, responses can be JSON messages, form-encoded data, or query string parameters. The OAuth v2 protocol better defines the response data format, according to the different flows. Being OAuth v2 a framework, several authorization flows are supported; they are named "Grants" and can be listed as follows:


Authorization code grant (aka "3-legged") is a little bit more complex than the others, but it is robust and safe. In particular, authentication is done on a MailUp page. For your client application, there is no need of storing user credentials, which may become invalid if you change your password. You simply have to call that page passing both the application keys and the URL of your callback page the authentication tokens are returned to. Once you have the tokens you can go on with them. You can use them whenever you need to access to an API resource. You just only have to refresh the access token when it expires. There is no need of for any further authorization flow unless you have to connect your application to a different MailUp user.


  • password may change, if you save it on your client your application may stop working when a stored password is no more valid
  • if you store the password on your client you are responsible for keeping it safe


After passing the authorization process, the client application impersonates a MailUp user. Then, the resources the user is enabled to get or set are accessible by calling related API endpoints. For more detailed information about available resources and related API methods, please refer to the specific documentation of the REST API Resources

 According to the OAuth v2 specification, an access token needs to be provided in the request's HTTP header in order to access protected information/resources. MailUp API requires using the "Bearer Token". Please check out the example below or refer to the RFC 6750 page for details.

Code Block
titleResource access by specifying access token
curl -H "Authorization:Bearer MYACCESSTOKEN" /
		-H "Content-Type:application/x-www-form-urlencoded" MYRESOURCEENDPOINT 


An application can access to an account's resources only if it has a valid pair of API keys and a valid access token is provided.


  1. Account or user restrictions: when accessing from API impersonating a MailUp user, you will find the same restrictions that you have when you log in to the MailUp web application with the same user. E.g. a maximum number of total mailings for trial accounts, possible restrictions on MailUp lists accessible to an a user in case of multi-user accounts...
  2. Frequency of calls (Rate Limiting): a check is performed on the frequency of the calls by the method, enabling only the calls which fall within a defined range of calls per second (the default value is 5 per second, HTTP 403 is returned when this limit is exceeded)

MailUp reserves the right at any time to limit, suspend or ban any user or client application that may be found abusing of the API services.

Response format


In case of successful access to the requested resource, an HTTP 200 status code is returned, along with the requested data.
Should an error occur (e.g. caused by malformed request, invalid token, frequency call restrictions, or user access privilege limitations), the following error codes are returned:

  • HTTP 400 (Bad request): malformed request or missing parameters. In case of an invalid or malformed authorization token (either refresh token or access token), a proper description message is also returned.
  • HTTP 401 (Unauthorized): expired or revoked token.
  • HTTP 403 (Forbidden): the application is requesting a resource which that is not in the scope of the impersonated user. 
  • HTTP 429 (Too many requests): it is returned in case of too many requests per second on a single API resource.
  • HTTP 500 (Internal error): returned in case of any resource server-internal problem.
  • HTTP 503 (Service unavailable): temporary error. The server is currently unable to handle the request due to a temporary overload or scheduled maintenance, which will likely be alleviated after some delay.

OAuth v2 error codes and error descriptions are returned either as a detail detailed part of the raised fault or as a header parameter as stated in the Bearer token documentation.

In case of an expired token, you need to refresh it (HTTP 401)

In case of an HTTP 401 error, you need to refresh the authorization token, getting a new one by means of utilizing the refresh token. Please note that also the "refresh token" is renewed with the request and the new value is returned in the response body.