API keys
Create and manage API keys to authenticate requests to the Sendfully API.
API keys authenticate your requests to the Sendfully API. You'll need one before you can send transactional emails or manage resources programmatically.
Create an API key
- Go to Settings > API keys
- Click Create API key
- Give the key a name (something like "Production app" or "Staging server")
- Choose a permission level
- Click Create key
The full API key is only shown once. Copy it and store it somewhere secure. If you lose it, you'll need to create a new one.
Permissions
API keys have two permission levels:
| Permission | What it allows |
|---|---|
| Sending | Send transactional emails via the /v1/emails/send endpoint or SMTP |
| Full access | Send emails and manage your resources through the API |
If your integration only sends emails, use the Sending permission. Use Full access if it also needs to create or update contacts and other resources.
Prefer the narrowest permission that covers your use case. A Sending key can't read or modify contacts, so there's less to worry about if a key is accidentally exposed.
Using an API key
Pass your API key in the Authorization header as a Bearer token:
curl -X POST https://api.sendfully.com/v1/emails/send \ -H "Authorization: Bearer sf_live_..." \ -H "Content-Type: application/json" \ -d '{ "templateId": "welcome_email_a1b2", "to": "recipient@example.com" }'Manage your keys
The Settings > API keys page lists all your keys along with their last-used date, which can be useful for cleaning up keys that haven't been used in a while.
Revoke a key
If a key is compromised or no longer needed:
- Go to Settings > API keys
- Click the menu on the key you want to revoke
- Select Revoke key
Revocation is immediate. Any request using that key will start returning errors. Revoked keys stay visible in the list for your records but can't be reactivated.
Best practices
- Name keys after the service or environment that uses them ("Production backend", "Staging app") so they're easy to identify when you need to rotate or revoke one.
- If an integration only sends emails, give it a sending key. Full access keys can be used for integrations that also need to manage contacts or other resources.
- To rotate a key, create a new one, update your integration, then revoke the old one.
- Never commit keys to version control. Store them in environment variables or a secrets manager.
See also
- Getting started with transactional emails - create a template and send your first email
- Send email API reference - full reference for the send endpoint
- Sending domain - set up your domain if you haven't already