You can customize and install the SafetyMails email verification API, with code in the programming language of your choice and with access keys, which will be used for real-time verification of emails in various services, whether landing pages, point-of-sale forms, applications, etc. By definition, SafetyMails will respond to query calls by returning the requested information.
Registering a source:
Remember that for this API to work you need to have a credit subscription activated (see how to subscribe).
To start the process just follow these steps:
- Log into your Safetymails account (If you don’t have an account, create one now and get 100 free credits);
- On the top menu, click on “Real-time API”
- Select the “For Developers” option

- On the next screen, give the source you are creating a name;
- Enter the domain of your form (for example, if your form is at “https://safetymails.com/form“, you should just enter “safetymails.com“);

- After entering the information the API Key and Source Ticket keys will be displayed for use in your script or Webservice.

Example of Ticket Source and API Key
APIKey
55a89975b74************75217b0a2eae840bd
Ticket Source
b440e8d30f068************3d08b84afe2fe50
HMAC Check
A hash-based HMAC (Message Authentication Code) should be used to determine whether a message sent over an insecure channel has been tampered with, as long as the sender and receiver share a secret key.
To generate the hash, you need to use a function that encrypts the value in the HMAC-SHA256 standard, where you enter the value in text and a key for access.
To generate the hash, you need to use a function that encrypts the value in the HMAC-SHA256 standard, where you enter the value in text and The formula for the hash below:
hash = HMAC_SHA256(VALUE, KEY);
VALUE = EMAIL
KEY = API_KEY
This hash must be sent in the request header:
Sf-Hmac: (Hash Content)
Example:
Sf-Hmac: afc5382171c3745890b56********************4aa43506326b4e1fc993cb
Query Syntax
The code used to perform the verification queries should follow the following syntax:
CODE_TICKET = SHA1 (<SOURCE_TICKET>)
https://<SOURCE_TICKET>.safetymails.com/api/<CODE_TICKET>
The email should be sent in POST with the name “email”
If you have any syntax questions, please refer to the language examples below.
Examples of use:
JavaScript example
<html>
<body>
<form action="">
<input type="email" name="email" value="">
<br>
<button type="button">OK</button>
</form>
<script>
// This function is just an example, if you prefer you can use your own javascript library
async function sha1(text) {
const encoder = new TextEncoder();
const data = encoder.encode(text);
const hashBuffer = await crypto.subtle.digest("SHA-1", data);
return [...new Uint8Array(hashBuffer)]
.map(byte => byte.toString(16).padStart(2, "0"))
.join("");
}
// This function is just an example, if you prefer you can use your own javascript library
async function hmacSHA256(value, key) {
const encoder = new TextEncoder();
const keyData = encoder.encode(key);
const valueData = encoder.encode(value);
const cryptoKey = await crypto.subtle.importKey(
"raw", keyData, { name: "HMAC", hash: { name: "SHA-256" } }, false, ["sign"]
);
const signature = await crypto.subtle.sign("HMAC", cryptoKey, valueData);
return [...new Uint8Array(signature)]
.map(byte => byte.toString(16).padStart(2, "0"))
.join("");
}
document.querySelector("button").addEventListener("click", async function () {
const emailInput = document.querySelector('[type="email"]');
if (!emailInput || emailInput.value.length < 1)
throw new Error("Invalid Email Input value");
// Enter the ticket_source and api_key values generated on the SafetyMails platform below.
const ticket = '<TK SOURCE ENTERED IN THE SAFETYMAILS PANEL>';
const api_key = '<APIKEY INFORMED IN THE SAFETYMAILS PANEL>';
const code = await sha1(ticket);
const email = emailInput.value;
const url = `https://${ticket}.safetymails.com/api/${code}`;
const hmac = await hmacSHA256(email, api_key);
let form = new FormData();
form.append('email',email);
try {
const response = await fetch(url, {
method: "POST",
headers: {
"Sf-Hmac": hmac
},
body: form
});
if (!response.ok) {
console.error(`HTTPCode ${response.status}`);
return;
}
const data = await response.json();
if (!data.Success) {
console.error("Response error", data);
return;
}
console.log("Response success", data);
} catch (error) {
console.error("Request failed", error);
}
});
</script>
</body>
</html>
PHP example
<?php
function SafetyApi($email) {
$apiKey = '<APIKEY INFORMED IN THE SAFETYMAILS PANEL>';
$tkSource = '<TK SOURCE ENTERED IN THE SAFETYMAILS PANEL>';
$timeout = 10; // Safetymails connection timeout
$url = "https://{$tkSource}.safetymails.com/api/".sha1($tkSource);
$header[] = "Sf-Hmac: " . hash_hmac('sha256', $email, $apiKey);
$post['email'] = $email;
$process = curl_init($url);
curl_setopt($process, CURLOPT_HEADER, 0);
curl_setopt($process, CURLOPT_FRESH_CONNECT, 1);
curl_setopt($process, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($process, CURLOPT_FORBID_REUSE, 1);
curl_setopt($process, CURLOPT_TIMEOUT, $timeout);
curl_setopt($process, CURLOPT_ENCODING, '');
curl_setopt($process, CURLOPT_POST, 1);
curl_setopt($process, CURLOPT_HTTPHEADER, $header);
curl_setopt($process, CURLOPT_POSTFIELDS, http_build_query($post));
$ret = curl_exec($process);
curl_close($process);
$httpCode = curl_getinfo($process, CURLINFO_HTTP_CODE);
$result = NULL;
if ($ret === false && curl_errno($process) === CURLE_OPERATION_TIMEOUTED)
$httpCode = 408; // Timeout
elseif ($httpCode == 200)
$result = json_decode($ret, true);
# HTTPCODE 400 - Invalid parameters
# HTTPCODE 401 - Invalid API Key
# HTTPCODE 402 - Insufficient credits for the query
# HTTPCODE 403 - Access from a source other than the one registered
# HTTPCODE 406 - Invalid or inactive source ticket
# HTTPCODE 408 - Timeout
# HTTPCODE 429 - Query limit per hour or minute exceeded
return ['Status'=>$httpCode, 'Result'=>$result];
}
$emailTest = "[email protected]";
print_r(SafetyApi($emailTest));
Python example
import requests
import hashlib
import hmac
def safety_api(email):
api_key = '<APIKEY INFORMED IN THE SAFETYMAILS PANEL>'
tk_source = '<TK SOURCE ENTERED IN THE SAFETYMAILS PANEL>'
timeout = 10 # Safetymails connection timeout
url = f"https://{tk_source}.safetymails.com/api/{hashlib.sha1(tk_source.encode()).hexdigest()}"
sf_hmac = hmac.new(api_key.encode(), email.encode(), hashlib.sha256).hexdigest()
headers = {"Sf-Hmac": sf_hmac}
data = {"email": email}
try:
response = requests.post(url, headers=headers, data=data, timeout=timeout)
http_code = response.status_code
result = response.json() if http_code == 200 else None
except requests.exceptions.RequestException as e:
return {"Status": "400", "Result": str(e)}
return {"Status": http_code, "Result": result}
# Exemplo de uso
if __name__ == "__main__":
email_test = "[email protected]"
resposta = safety_api(email_test)
print(resposta)