shalommail temp API

Create and read self-destructing pastes programmatically. No API key or signup required — endpoints are public and rate-limited per IP.

Base URL: https://shalommail.com · All request/response bodies are JSON.

POST/api/tmp

Creates a new paste and returns its id.

FieldTypeRequiredNotes
contentstringyes The paste body. Max 100KB.
durationstringno One of 1h 6h 1d 3d 7d 30d 90d. Defaults to 3d.
deleteAfterOpenbooleanno Burn the paste after its first read. Defaults to true.
passwordstringno If set, the paste requires this password to reveal.

Request:

curl -X POST https://shalommail.com/api/tmp \
  -H "Content-Type: application/json" \
  -d '{
    "content": "the secret payload",
    "duration": "1d",
    "deleteAfterOpen": true,
    "password": "optional-passphrase"
  }'

Response 200:

{ "id": "9f1c2a7b8e4d0a31" }

The paste is viewable at https://shalommail.com/tmp/<id>, or fetched directly via the read endpoints below.

GET/api/tmp/:id

Fetches metadata. This call never burns/deletes the paste, so it's safe to poll or check existence.

Response shape depends on how the paste was created:

ConditionResponse
Password protected { "needsPassword": true, "deleteAfterOpen": bool }
No password, burns on read { "deleteAfterOpen": true }
No password, persists { "content", "expiresAt", "createdAt", "deleteAfterOpen": false }

Response 404 if the paste doesn't exist or has expired.

POST/api/tmp/:id

Reveals the content. Required for password-protected pastes and for any paste with deleteAfterOpen — this is the call that actually burns it.

Request body (only needed if password protected):

{ "password": "optional-passphrase" }

Response 200:

{
  "content": "the secret payload",
  "expiresAt": "2026-07-20T12:00:00.000Z",
  "createdAt": "2026-07-17T12:00:00.000Z",
  "burned": true
}

Errors: 403 missing/incorrect password · 404 not found or expired · 429 too many password attempts for this paste (5 per 5 minutes per IP).

Rate limits

ScopeLimit
All /api/* requests60 requests / minute / IP
POST /api/tmp (paste creation)20 creates / hour / IP
POST /api/tmp/:id password attempts5 attempts / 5 minutes / IP+paste

Creation responses include standard rate-limit headers so scripts can back off correctly:

X-RateLimit-Limit: 20
X-RateLimit-Remaining: 14
X-RateLimit-Reset: 1752345600      (unix seconds)

When the creation limit is exceeded, you'll get:

HTTP/1.1 429 Too Many Requests
Retry-After: 1800

{ "error": "Too many pastes created, try again later" }
Building automation on this? Respect Retry-After and back off — IPs that repeatedly ignore 429s risk being blocked at the network level, not just rate-limited.
← back to temp