REST API · Webhooks · Operational Guide

Email API Integration Guide

Everything developers need to integrate NexusProMail correctly — authentication, API key security, webhook implementation, rate limit handling, error patterns and sending architecture decisions.

Get your free API key Endpoint reference

This is an operational integration guide. Transactional email API overview → · Full endpoint reference →

Quick Answer

The NexusProMail API is a REST API authenticated with a Bearer token. Send your API key in every request as Authorization: Bearer YOUR_API_KEY. Register webhooks to receive real-time delivery events. Implement exponential backoff for 429 responses. Use separate sending subdomains for transactional and marketing email.

Key Takeaways

API keys belong in environment variables — never in source code or client-side JavaScript
The sandbox key works immediately on signup; production requires DKIM/SPF domain verification
Every webhook payload is HMAC-SHA256 signed — always verify the signature before processing
429 responses include a Retry-After header; use exponential backoff, not a fixed sleep
Hard bounce webhooks should trigger immediate suppression in your own database
Use separate sending subdomains for transactional and marketing email to isolate reputation
The REST API is preferred over SMTP for all new integrations

Authentication

Every API request requires a Bearer token. Keys are scoped per account and can be rotated at any time.

HTTPRequired header on every request

Authorization: Bearer YOUR_API_KEY
Content-Type: application/json

Generate your API key

Sign up for a free account. Your sandbox API key is available immediately in the dashboard under Settings → API Keys. No DNS setup required for initial testing.

Store the key securely

Set your API key as an environment variable (API_KEY or NEXUSPROMAIL_API_KEY). Never hardcode keys in source files or commit them to version control. Use a secrets manager in production.

Add the Authorization header

Every API request requires: Authorization: Bearer YOUR_API_KEY. The header must be present on every request — there is no session-based authentication.

Verify your domain before going live

Add DKIM and SPF records for your sending domain and verify in the dashboard. Without domain verification, sends are limited to sandbox. Domain verification takes effect within 24 hours of DNS propagation.

API Key Security — Never do this

✗Never commit API keys to git repositories

✗Never include API keys in client-side JavaScript

✗Never log API keys in application logs

✗Never share API keys across environments

Webhook Events

Register a webhook endpoint to receive real-time events for every delivery outcome. Payloads are signed with HMAC-SHA256.

Node.jsVerify webhook signature before processing

const crypto = require('crypto')

function verifyWebhookSignature(rawBody, sig, secret) {
  const expected = crypto
    .createHmac('sha256', secret)
    .update(rawBody, 'utf8')
    .digest('hex')
  // timingSafeEqual prevents timing attacks
  return crypto.timingSafeEqual(
    Buffer.from(expected, 'hex'),
    Buffer.from(sig, 'hex')
  )
}

// Express — parse raw body for signature check
const rawParser = express.raw({
  type: 'application/json',
})

app.post('/webhooks/email', rawParser, (req, res) => {
  const sig = req.headers['x-nexuspromail-signature']
  const secret = process.env.WEBHOOK_SECRET
  const valid = verifyWebhookSignature(req.body, sig, secret)
  if (!valid) {
    return res.status(401).send('Bad signature')
  }
  const event = JSON.parse(req.body)
  // Handle event.type and event.data
  res.sendStatus(200)
})

Event	Description	Recommended action
`delivered`	Email accepted by the receiving mail server	Update delivery status in your database
`opened`	Recipient opened the email (pixel tracked)	Trigger engagement workflows, update last-active timestamp
`clicked`	Recipient clicked a tracked link in the email	Record engagement, trigger conversion workflows
`bounced.hard`	Permanent delivery failure — address does not exist	Suppress address immediately in your own database
`bounced.soft`	Temporary delivery failure — retry in progress	Monitor; treat as hard bounce after 3+ consecutive failures
`complained`	Recipient marked the email as spam	Suppress immediately; investigate send that triggered complaint
`unsubscribed`	Recipient clicked the unsubscribe link	Update subscription status; stop all marketing sends to this address

Rate Limiting

The API enforces per-key rate limits. A 429 response includes a Retry-After header with the wait time in seconds. Use exponential backoff — not a fixed delay.

Node.js — exponential backoff

const key = process.env.NEXUSPROMAIL_API_KEY

async function sendWithRetry(payload, tries = 3) {
  for (let i = 0; i <= tries; i++) {
    const res = await fetch(SEND_URL, {
      method: 'POST',
      headers: {
        Authorization: `Bearer ${key}`,
        'Content-Type': 'application/json',
      },
      body: JSON.stringify(payload),
    })

    if (res.status !== 429) return res

    const after = res.headers.get('Retry-After')
    const wait = parseInt(after ?? '1', 10)
    const ms = wait * 1000 * Math.pow(2, i)
    await new Promise(r => setTimeout(r, ms))
  }
  throw new Error('Retry limit exceeded')
}

Error Reference

400Bad Request

Cause: Malformed JSON or missing required field

Fix: Check request body against API docs; validate before sending

401Unauthorized

Cause: Missing, invalid or expired API key

Fix: Verify Authorization header format: Bearer YOUR_API_KEY

422Unprocessable

Cause: Valid request but suppressed address, invalid domain, or failed validation

Fix: Check error message body; handle suppression responses by updating your records

429Rate Limited

Cause: Request rate exceeded for your plan tier

Fix: Read Retry-After header; implement exponential backoff

500Server Error

Cause: Transient infrastructure issue

Fix: Retry with exponential backoff; raise support ticket if persistent

SMTP vs REST API: When to Use Each

Both methods use the same sending infrastructure. The choice is about your integration layer, not deliverability.

Factor	REST API	SMTP
Integration complexity	Low — standard HTTP POST with JSON body	Medium — connection management, MIME encoding
Structured responses	Full JSON response with message ID, errors	SMTP reply codes only — limited error detail
Suppression enforcement	Automatic — 422 returned for suppressed addresses	Enforced at connection layer — less granular feedback
Webhook support	Full webhook event registration via API	Bounce callbacks via VERP — more complex to configure
Observability	Message ID in response for correlation; full API logs	Limited — depends on SMTP client logging
Legacy system compatibility	Requires HTTP client capability	Compatible with any SMTP-capable system
Recommendation	✓ Use for all new integrations	Use only for legacy or SMTP-only systems

Subdomain Sending Architecture

Always send email from a subdomain — never from your root domain. This protects your main domain’s reputation if deliverability problems occur.

Recommended architecture: separate subdomains for transactional and marketing email. Each has its own DKIM key, SPF record and sender reputation. Problems with one do not affect the other.

mail.yourdomain.com

Transactional email

Password resets, order confirmations, account alerts

Critical — must always reach inbox

news.yourdomain.com

Marketing email

Newsletters, promotional campaigns, re-engagement

Important — inbox placement improves with engagement

yourdomain.com (root)

Never use for email

Website, search engine presence, security reputation

Protect at all costs — no email sending

Developer FAQ

How do I authenticate with the NexusProMail API?+

All API requests require a Bearer token in the Authorization header: Authorization: Bearer YOUR_API_KEY. API keys are scoped to your account and can be rotated from the dashboard at any time. Never include your API key in client-side code or commit it to version control — use environment variables.

What is the difference between the sandbox and production API keys?+

The sandbox key is available immediately on signup and lets you test the full API without sending real email. No DNS setup or domain verification is required. Switching to production requires verifying your sending domain (DKIM and SPF) and activating your production key. Sandbox and production use the same API endpoints — only the key changes.

How do I handle rate limiting in the NexusProMail API?+

When you exceed the rate limit for your plan tier, the API returns a 429 Too Many Requests response with a Retry-After header indicating how many seconds to wait. Implement exponential backoff in your integration: wait, then retry. For bulk transactional sending, use a queue and dispatch at a controlled rate rather than sending synchronously in a loop.

What webhook events does NexusProMail emit?+

NexusProMail emits webhook events for: delivered, opened, clicked, bounced (hard and soft separately), complained (spam report), unsubscribed. Each event payload includes the recipient address, message ID, timestamp and relevant metadata. Webhooks are signed with HMAC-SHA256 so you can verify the payload origin.

How do I verify a webhook signature?+

NexusProMail signs every webhook request with your webhook secret key using HMAC-SHA256. The signature is included in the X-NexusProMail-Signature header as a hex digest of the raw request body. To verify: compute HMAC-SHA256 of the raw request body using your webhook secret, then compare with the header value. Reject any request where the signatures do not match.

Should I use SMTP or the REST API?+

Use the REST API for new integrations. It offers full control, structured JSON responses, built-in suppression enforcement, webhook configuration and better observability. Use SMTP only when integrating with systems that cannot make HTTP requests (legacy applications, certain CMS platforms). Both methods use the same sending infrastructure and authentication.

What is subdomain sending and why does it matter?+

Subdomain sending means using a subdomain (e.g. mail.yourdomain.com) for email rather than your root domain. This isolates your email sending reputation from your main website domain. If your transactional email reputation suffers (high bounces, complaints), it does not affect your root domain's search engine or security reputation. Separate subdomains for transactional and marketing email provide additional isolation.

How do I handle suppressed addresses in my application?+

The NexusProMail API enforces suppression automatically — if you attempt to send to a suppressed address, the API returns a 422 response with a suppression reason. Your application should catch this response and update its own records accordingly. You can also query the suppression list via the API to sync it into your own database if needed.

Start building in minutes

Sandbox key ready immediately. No DNS setup required for testing. Production key after domain verification.

Get free API key →Endpoint reference

Also read: Transactional email API · Email deliverability · Domain warming · Compliance guide