Skip to main content

What are API keys?

API keys are how you authenticate requests to the SendKit API. Every API call requires a valid key passed as a Bearer token in the Authorization header. Keys are scoped to your team — any key created by a team member has access to the team’s resources (emails, domains, contacts, etc.).

Creating an API key

Go to API Keys in the dashboard and click Create API Key.
FieldRequiredDescription
NameYesA label to identify the key (e.g., Production, Staging, CI/CD)
PermissionYesAccess level for the key. Full access grants access to all API endpoints. Send only restricts the key to sending emails only
DomainNoOptionally scope the key to a specific verified domain. When set, the key can only send emails from this domain
ExpirationNoOptional expiration date. After this date, the key stops working
After creation, the full key is shown once. Copy it immediately — you won’t be able to see it again.
SendKit stores a hash of your API key, not the key itself. If you lose it, you’ll need to create a new one.

Key format

All SendKit API keys follow the format: 
sk_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Keys start with sk_ followed by 48 random characters (51 characters total).

Using your API key

Pass the key as a Bearer token in the Authorization header on every API request. See the API Reference for examples and interactive testing. For the Laravel SDK, just set the SENDKIT_API_KEY environment variable and you’re ready to go.

Expiration

API keys can be created with or without an expiration date:
  • No expiration — The key remains active until you delete it
  • With expiration — The key automatically becomes inactive after the set date. Requests made with an expired key return a 401 error
Expired keys are not deleted — they stay visible in the dashboard so you can track usage history. You can delete them manually when no longer needed.

Security best practices

1

Use separate keys per environment

Create different keys for production, staging, and development. If a key is compromised, you only need to rotate one.
2

Set expiration for temporary access

If you’re sharing a key with a contractor or CI/CD pipeline, set an expiration date so it automatically stops working.
3

Never commit keys to source control

Store keys in environment variables or secret managers. Never hardcode them in your codebase.
4

Rotate keys periodically

Create a new key, update your application, then delete the old one. SendKit tracks last used at so you can verify the old key is no longer in use before deleting it.

Deleting an API key

You can delete an API key at any time from the dashboard. Deletion is immediate and irreversible — any application still using the key will start receiving 401 errors. Check the Last used column before deleting to make sure the key isn’t actively in use.

FAQ

There’s no limit. Create as many keys as you need for different environments, services, or team members.
No. The full key is only shown once at creation time. SendKit stores a secure hash, not the original key. If you lose it, create a new one.
Yes. API keys belong to the team, not individual users. Any key created by a team member can be used to access the team’s resources.
The API returns a 401 Unauthorized error. Create a new key or remove the expiration from the existing one.