Bearer tokens
Every API request must include a bearer token in the Authorization header. Tokens are created in the SendLib dashboard and are tenant-scoped — each token belongs to exactly one account.
curl -X POST https://api.sendlib.com/v1/transmissions \
-H "Authorization: Bearer $SENDLIB_API_KEY" \
-H "Content-Type: application/json" \
-d '{"recipients":[{"email":"user@example.com"}],"content":{"subject":"Test","text":"Hello"}}'If the token is missing or invalid, the API returns 401 Unauthorized. If the token is valid but lacks the required scope for the endpoint, you'll receive 403 Forbidden.
Never expose keys client-side
API keys should only be used in server-side code. If you need client-side behavior (e.g. a contact form), build a backend endpoint that proxies the minimal action to SendLib.
Scoped keys
SendLib supports fine-grained permission scopes on API keys. In production, always prefer scoped keys so each service only gets the privileges it needs.
| Scope | Grants access to |
|---|---|
send:transmissions | Create and send transmissions |
read:events | Query message and transmission events |
manage:webhooks | Create, update, delete, and test webhooks |
manage:sending-domains | Domain verification and DNS management |
manage:templates | Create and update stored templates |
manage:suppressions | Add/remove suppression rules |
manage:api-keys | Create additional API keys |
manage:smtp-credentials | Create SMTP credentials |
manage:ip-pools | Manage IP pool assignments |
manage:pacing | Configure pacing and warmup policies |
Creating a scoped key
curl -X POST https://api.sendlib.com/v1/api-keys \
-H "Authorization: Bearer $SENDLIB_API_KEY" \
-H "Content-Type: application/json" \
-d '{"name":"prod-sender","scopes":["send:transmissions","read:events"]}'Keys are shown once
The raw API key value is only returned at creation time. Store it immediately in a secret manager (AWS Secrets Manager, Vault, 1Password, etc.). You cannot retrieve it again.
Key rotation
Rotate keys regularly — at minimum quarterly, or immediately if a key may have been exposed.
- Create a new key with the same scopes.
- Deploy the new key to your services.
- Verify traffic is flowing on the new key (check
X-Request-IDheaders in logs). - Delete the old key from the dashboard.
Zero-downtime rotation
SendLib accepts any valid key for your tenant. Deploy the new key alongside the old one, then remove the old key after confirming the cutover. There's no invalidation window.
SMTP authentication
If you use SMTP instead of REST, authenticate with the SMTP credentials endpoint. SMTP credentials use standard AUTH LOGIN with the username and password returned at creation time.
curl -X POST https://api.sendlib.com/v1/smtp-credentials \
-H "Authorization: Bearer $SENDLIB_API_KEY" \
-H "Content-Type: application/json" \
-d '{"name":"prod-smtp"}'Next
- Prevent duplicate sends: Idempotency
- Understand error responses: Errors
- Keep keys safe: Security