Public API

A REST API. JMAP. Signed webhooks. The audit log.

Verkio is built API-first — the same endpoints the web app uses are open to you. REST with an OpenAPI 3.1 spec for codegen. Signed webhooks for the events you care about. JMAP for direct mail-protocol access. The audit log streamable to your SIEM.

REST

REST with an OpenAPI 3.1 spec.

Every endpoint documented in a single OpenAPI 3.1 file. Point your codegen tool (openapi-generator, oapi-codegen, OpenAPI TS) at /api/v1/openapi.json and get a typed client in your language of choice — or browse the interactive reference at /developers.

  • OpenAPI 3.1 spec at /api/v1/openapi.json — codegen-ready.
  • Interactive reference at /developers (Swagger UI).
  • Bearer-token auth (RFC 6750). Keys hashed with Argon2id at rest.
  • Per-key rate limits with X-RateLimit-* headers. 429s with Retry-After.
  • Idempotency-Key support on mutating endpoints — safe to retry on flaky networks.

Signed webhooks

HMAC-signed delivery with a dead-letter queue.

Subscribe to the events you care about — new mail, audit log entries, account changes. Every payload is HMAC-SHA256 signed so you can verify it came from Verkio. Failed deliveries retry with exponential backoff; persistent failures land in a dead-letter queue you can inspect and replay.

  • HMAC-SHA256 signature per payload (X-Verkio-Signature header).
  • Exponential backoff retries on 5xx and connection errors.
  • Dead-letter queue in the dashboard — inspect, replay, dismiss.
  • Every delivery attempt logged in the audit log.

JMAP passthrough

Speak the modern mail protocol directly.

Verkio's underlying mail server speaks JMAP (RFC 8620 / 8621) — the modern, JSON-based successor to IMAP. The Public API exposes a JMAP passthrough so client libraries can talk to your mailboxes directly without re-implementing every endpoint server-side.

  • JMAP Core (RFC 8620) and JMAP Mail (RFC 8621) over /api/v1/jmap.
  • Use any JMAP-compatible client library — jmap-client (JS), python-jmap, others.
  • Push notifications via JMAP EventSource — no polling.
  • IMAP and SMTP also available for clients that need them.

Audit log API

Every admin action, streamable.

The same audit log you read in the dashboard is available as an API — paginated, filterable, with before/after values on every change. Stream events to Splunk, Datadog, or any SIEM that accepts a webhook or polls a paginated endpoint. Export to CSV or JSONL for forensics.

  • Paginated and filterable: by user, by event type, by date range.
  • Before/after values on every mutation — full forensic trail.
  • Stream to your SIEM via webhook or pull endpoint.
  • Export to CSV or JSONL for offline analysis. Seven-year retention by default.

Production-ready

Built for the long-running integrations you actually want to write.

Scoped API keys with rotation. Per-key rate limits. Idempotency on writes. Versioned URLs so a deprecation won't blindside you on a quiet Sunday. The boring guarantees that make an integration worth writing.

  • Scoped API keys — read-only, scoped to a mailbox, scoped to an org.
  • Key rotation in the dashboard — revoke and reissue without downtime.
  • URL-versioned (/api/v1/…) with deprecation headers months in advance.
  • OpenAPI changelog published; breaking changes only on major version bumps.

Open standards

RFCs and OpenAPI. Nothing proprietary.

Every protocol the Public API speaks is publicly documented. Bring your codegen tool. Bring your existing client library. Nothing here is invented for a vendor pitch.

  • OpenAPI 3.1
  • REST
  • JMAP Core (RFC 8620)
  • JMAP Mail (RFC 8621)
  • Bearer auth (RFC 6750)
  • HMAC-SHA256 (RFC 6234)
  • Argon2id key hashing
  • TLS 1.3

Launching July 2026

Join the waitlist

We'll be in touch when Verkio opens.