SendyStack
Log inStart now
Authentication

Authenticating requests

SendyStack uses bearer API keys. Every request must include an Authorization header carrying a key you generate from the dashboard.

The Authorization header

Send your key on the Authorization header of every request. Keys live entirely server-side — do not embed them in a frontend bundle, mobile app, or commit them to source control.

Authorization: Bearer YOUR_API_KEY

Example request

curl -X GET https://api.sendystack.com/v1/messages \
  -H "Authorization: Bearer YOUR_API_KEY"

Creating & rotating keys

  • Create scoped keys (read-only, send-only, full) in the dashboard at API Keys.
  • Each key is shown once at creation — store it in your secret manager (Vault, AWS SM, Doppler, GitHub Actions secrets).
  • Revoke instantly from the same page; in-flight requests are rejected within seconds.

Error responses

A missing or invalid key returns 401 Unauthorized with the body:

{
  "error": {
    "type": "api_error",
    "code": "invalid_api_key",
    "message": "Invalid or missing API key",
    "request_id": "req_…"
  }
}

Keep your API key secret. If you suspect a leak, rotate it immediately and re-deploy clients with the new key.