# Authorize Mailtrap API requests securely

Developers often hardcode Mailtrap API tokens or use incorrect auth headers, leading to security risks and broken integrations. This skill provides the authoritative reference for token scoping, auth header formats, secure storage, and account ID resolution across all Mailtrap API surfaces.

## Install

```bash
npx skillstore add mailtrap/authorizing-api-requests
```

## Metadata

- - Slug: mailtrap-authorizing-api-requests
- - Version: 1.0.0
- - Author: mailtrap
- - GitHub username: mailtrap
- - License: MIT
- - Repository: https://github.com/mailtrap/mailtrap-skills/tree/main/skills/authorizing-api-requests
- - Ref: main
- - Supported tools: Claude, Codex, Claude Code
- - Risk level: low
- - Risk factors: external\_commands, network, env\_access
- - Quality score: 74
- - Public page: https://skillstore.pages.dev/skills/mailtrap-authorizing-api-requests
- - Manifest: https://skillstore.pages.dev/api/skills/mailtrap-authorizing-api-requests/manifest

## Capabilities

- Generates correct Authorization headers in Bearer and Api-Token formats
- Advises on minimum-scope token provisioning per Mailtrap API surface
- Resolves account\_id dynamically via the Mailtrap Accounts API
- Recommends secure token storage per environment \(local, CI, production\)
- Documents recommended environment variable naming conventions
- Guides on separating sandbox tokens from live sending tokens

## Use Cases

- First-time Mailtrap API integration: A developer building a new Mailtrap API integration needs to set up authentication correctly. The skill guides them through token creation, auth header selection, and secure storage from the start.
- CI/CD pipeline token configuration: A DevOps engineer configuring CI/CD pipelines needs to inject Mailtrap API tokens as environment variables. The skill provides guidance on using encrypted CI secret stores and recommended env var naming.
- API security audit and review: A security reviewer needs to verify that Mailtrap API tokens are scoped correctly, stored securely, and not hardcoded in source. The skill documents best practices and anti-patterns for reference.

## Prompt Templates

### Set up Mailtrap API authentication from scratch

```
I need to authenticate requests to the Mailtrap Email Sending API. Generate example code in Python showing the proper Authorization header format, recommended environment variable names, and how to load the token securely.
```

### Select the correct token scope for a task

```
I want to send a transactional email through Mailtrap. What token scope do I need, what API host should I use, and does this endpoint require an account_id in the URL path?
```

### Resolve account\_id for account-scoped endpoints

```
I need to call the Mailtrap Contacts API which requires an account_id in the URL path. Show me how to resolve the correct account_id dynamically using the Accounts API, and how to pass it in subsequent requests.
```

### Build a secure production integration

```
I am building a production application that sends emails via Mailtrap. Show me the complete authentication setup including: token storage in a secret manager, auth header generation, account_id resolution, and separation of sandbox and live environments.
```

## Limitations

- Does not provision or generate actual Mailtrap API tokens
- Cannot detect which Mailtrap plan features are available for your account
- Does not handle API rate limits or error retry logic
- Cannot access or modify tokens stored in external secret managers

## Best Practices

- Use the Bearer auth header format for new code to match HTTP conventions and SDK-generated examples
- Scope each API token to the minimum required surface \(one stream, one project, one product area\) to limit blast radius if leaked
- Resolve account\_id dynamically from the Accounts API each session instead of hardcoding it in scripts or config

## Anti Patterns

- Hardcoding API tokens in source code, notebooks, or config files instead of loading from environment variables
- Passing tokens as command-line flags, which leaks them into shell history, process listings, and CI logs
- Using the same token for sandbox testing and live email sending, which creates unnecessary risk if the sandbox token is compromised

## Security Audit

- - Safe to publish: true
- - Audited at: 2026-06-03T14:59:36.26\+00:00
- - Summary: All 75 static findings are false positives. The SKILL.md is a documentation file containing bash/curl examples in markdown code blocks, not executable scripts. The external\_command detections target shell backtick syntax inside code fences showing example curl commands. Network findings reference legitimate mailtrap.io API endpoints. Environment access detections are from best-practices documentation on token storage. The skill is safe documentation content with no executable or malicious code.

## Stats

- - Views: 0
- - Downloads: 0
- - Favorites: 0
- - Popularity score: 0