DocumentationAPI keys and scopes
API keys and scopes
Create keys, assign permissions, and rotate credentials.
API keys provide programmatic access limited by scopes. Manage them from the dashboard or via POST /tenants/:id/api-keys (JWT).
Create a key
- Dashboard → Settings → API keys → Create
- Choose a descriptive name (
prod-nextjs,staging-crm) - Select only the scopes you need (principle of least privilege)
- Copy the full key — it is shown only once
Stored format: SHA-256 hash in the database; the plaintext key cannot be recovered.
Available scopes
| Scope | Use |
|---|---|
email:send | POST /emails/send, batch, scheduled |
email:read | GET /emails/logs, cancel scheduled |
templates:read / templates:write | Reserved; templates use JWT in current practice |
contacts:read / contacts:write | Audience and GDPR erasure |
campaigns:read / campaigns:write | Newsletter campaigns |
sequences:read / sequences:write | Automated sequences (API) |
suppressions:read / suppressions:write | Suppression list |
webhooks:manage | Outbound webhook endpoints |
If a scope is missing, the API responds with 403 and message Missing required API key scope.
Rotation
- Create a new key with the same scopes
- Update secrets in your deployment
- Revoke the old key (
DELETE /tenants/:id/api-keys/:keyId)