Get started

API keys & authentication

SendBolt has two auth flavours: JWT (for the dashboard + short-lived sessions) and API keys (for your server-to-server traffic). Use API keys for everything you ship to production.

Minting a key

1. Sign in to your dashboard
2. Go to Settings → API keys
3. Click Create key, pick a name + scopes, save
4. Copy the key now — the value is shown once and never again

Scope reference

Principle of least privilege: mint one key per service that needs it, with only the scopes that service uses. Rotate when an engineer leaves the team.

Sending an authenticated request

curl "$SENDBOLT_API_URL/api/v1/whoami" \
  -H "Authorization: Bearer $SENDBOLT_API_KEY"

Successful auth returns 200 with the tenant + key metadata. 401 = bad key. 403 = the key is valid but lacks the scope for this endpoint.

Rate limits

Standard limits per API key:

• 60 req/min for read endpoints
• 600 req/min for /transactional/send
• 60 req/min for write endpoints (campaign launches, list edits)

Every response includes X-RateLimit-Limit, X-RateLimit-Remaining, and X-RateLimit-Reset headers. On 429 we also include Retry-After in seconds — respect it.

Quota headers (W132-B)

Send-path responses also include X-Quota-Used, X-Quota-Cap, X-Quota-Remainingfor the current month's plan tier. When usage ≥ 80%, X-Quota-Warning: 1is set. When usage ≥ cap, requests return 402 Payment Required.

Rotating a key

1. Create the new key first
2. Deploy your service with the new key
3. Watch for traffic on the new key in API keys (the table shows last_used_at)
4. Wait an hour, then revoke the old key

Don't skip step 3 — if some background worker is still using the old key and you revoke it, that worker starts 401'ing.

SAML / SSO (Enterprise)

Available on Pro and Scale tiers — see SSO setup. SSO is for dashboard login only; server-to-server traffic still uses API keys.