Authentication
Authenticate every request with a bearer token:
Authorization: Bearer sk_live_...Key modes
| Prefix | Mode | Behavior |
|---|---|---|
sk_live_ | Live | Real delivery; requires a verified domain |
sk_test_ | Sandbox | Fully simulated; no domain needed |
Key scopes
| Scope | Can send | Can read | Can manage |
|---|---|---|---|
send_only | Yes | No | No |
read_only | No | Yes | No |
full_access | Yes | Yes | Yes |
Use the narrowest scope that works: send_only for production app servers, read_only for dashboards and monitors.
Rotation without downtime
Multiple keys can be active at once. Create the new key, deploy it, revoke the old one. Revocation takes effect immediately.
Storage
We store only a bcrypt hash of your key; the full key is shown exactly once at creation and is unrecoverable afterwards. Keep it in a secrets manager, never in code.