I had a few thoughts on authentication I would like to share, I tried ending this earlier but doesn't seem to have worked.
I was coding my inbound processor when I noticed I have no way to validate the message was from postmark. Given the fact that this is not a publicly documented URL for my inbound processor there isn't too much of an issue but some authentication scheme would be nice. Moreover I took a close look at the API for me to send an email and it relies of just a simple api key sent in a header. I think this can be done better. Admittedly the biggest issue is backwards compatibility so you don't have to release a new API version just for this.
My idea for API authentication is to introduce a shared secret. The shared secret would be a random string you would generate for me and show to me when I login to the app. For backwards compatibility I would have to opt to turn on a shared secret for each server I want to use it with. Then with each API call I would send one more header call it whatever you like maybe X-Postmark-Signature. To get the value of this I would take the json request string append the shared secret and make a hash using SHA1, MD5, doesn't matter too much as long as its consistent. When you receive the request by my API key you can see my server has a shared secret, then you can take the json append my shared secret then hash it and compare to the signature header. This verifies both my identity as well as the integrity of the json request.
For inbound processing you would take the same steps to sign the request using the json and my shared secret which I could easily validate on my end.