Authentication & Workspaces
Authentication & Workspaces
API keys
Authenticate every request with a Bearer token:
Keys are created in the dashboard and come in two
modes — live and test. The secret is shown once at creation; we store only
a peppered hash. Revocation (DELETE /v1/api-keys/{id}) takes effect
immediately.
Workspaces
A workspace is a sending tenant inside your account: its own egress pool
and its own email history. Every account starts with a default workspace;
create more with POST /v1/workspaces (for example, one per product or
environment).
Key scopes
Sending with a platform key and no X-Workspace-Id fails with
validation.workspace_header_required; naming a workspace that isn’t yours
fails with workspace.not_found (we never reveal other tenants’ ids).
Rate limits
Send-path requests are limited per API key (per-minute fixed window). Every response carries the current budget:
On 429 rate_limit.exceeded, honour Retry-After (seconds) before retrying.
Dashboard sessions
The dashboard itself signs in through our identity provider and manages keys
over the same API (/v1/api-keys accepts dashboard sessions only — an API key
cannot mint other keys).