docs.do.dev
send.dev

All Send.dev API requests require authentication using an API key. This page covers how to obtain and use API keys securely.

API Key Types

Send.dev provides two types of API keys:

TypePrefixUsage
Livesk_live_Production environment
Testsk_test_Testing and development

Test Mode

Test mode API keys work identically to live keys, but emails are validated without being sent. Use test mode to develop and debug your integration without consuming your quota.

Using Your API Key

Include your API key in the Authorization header of every request:

curl https://api.send.dev/v1/emails \
  -H "Authorization: Bearer sk_live_your_api_key"

Header Format

Authorization: Bearer <your_api_key>

Never Expose API Keys

Never include API keys in client-side code, URLs, or public repositories. API keys should only be used server-side.

Creating API Keys

  1. Log in to your Send.dev Dashboard
  2. Navigate to Settings → API Keys
  3. Click Create API Key
  4. Optionally, add a description (e.g., "Production server", "CI/CD pipeline")
  5. Click Create

Copy Your Key

Your API key is only shown once at creation. Copy it immediately and store it securely.

Domain Restrictions

API keys can be scoped to specific sending domains for added security:

  1. When creating an API key, select Restrict to domains
  2. Choose which verified domains this key can send from
  3. Any send attempt from an unauthorized domain will fail with a 403 Forbidden error

This is useful for:

  • Limiting blast radius if a key is compromised
  • Giving different teams access to different domains
  • Separating production and staging environments

Revoking API Keys

If an API key is compromised or no longer needed:

  1. Go to Settings → API Keys
  2. Find the key you want to revoke
  3. Click the Revoke button
  4. Confirm the revocation

Immediate Effect

Revoking a key takes effect immediately. Any requests using that key will fail.

Authentication Errors

Status CodeErrorDescription
401unauthorizedMissing or invalid API key
403forbiddenValid key, but lacks permission for this action
429rate_limitedToo many requests—slow down

Example Error Response

{
  "error": {
    "code": "unauthorized",
    "message": "Invalid API key provided",
    "docs_url": "https://send.dev/docs/authentication"
  }
}

Best Practices

  1. Use environment variables - Never hardcode API keys
  2. Rotate regularly - Create new keys periodically and revoke old ones
  3. Scope keys - Use domain restrictions when possible
  4. Monitor usage - Check the dashboard for unusual activity
  5. Use test keys for development - Avoid using live keys in development environments
  6. Separate keys per environment - Use different keys for staging and production

Environment Variables Example

# .env file (never commit this!)
SEND_API_KEY=sk_live_your_api_key_here
// Node.js
const apiKey = process.env.SEND_API_KEY;
if (!apiKey) {
  throw new Error('SEND_API_KEY environment variable is required');
}

Next Steps

API Keys

Managing API keys for secure access to the Send.dev API

Changelog

Latest updates and improvements to Send.dev

On this page

API Key TypesUsing Your API KeyHeader FormatCreating API KeysDomain RestrictionsRevoking API KeysAuthentication ErrorsExample Error ResponseBest PracticesEnvironment Variables ExampleNext Steps