← Back to docs

API Keys & Authentication

Create, use, rotate, and secure EuroMail API keys, and understand the two authentication schemes.

How authentication works

Every request to the EuroMail API is authenticated with an API key. A key looks like em_live_ followed by 32 random characters. You can present it two ways. use whichever your HTTP client makes easiest:

# Custom header (recommended)
curl https://api.euromail.dev/v1/emails \
  -H "X-EuroMail-Api-Key: em_live_your_key_here"

# Standard Authorization header
curl https://api.euromail.dev/v1/emails \
  -H "Authorization: Bearer em_live_your_key_here"

Keys are scoped to a single account (or sub-account). The dashboard session and the API key are independent credentials. The key never expires on its own; it is valid until you delete it.

Creating a key

Create keys from the API Keys page in the dashboard. At creation time, give the key a descriptive name that records where it will be used. production-backend, ci-tests, zapier, so you can later revoke exactly one integration without disturbing the others.

The full key is shown only once, at creation. EuroMail stores only a hash, so it can never display the secret again. Copy it into your secret manager immediately. If you lose it, delete the key and create a new one.

Storing keys safely

  • Never commit keys to source control or embed them in front-end code, mobile apps, or anything that ships to a browser. A key is a bearer credential: whoever holds it can send mail as your account.
  • Load keys from environment variables or a secret manager (Vault, AWS/GCP secret stores, Doppler), not from config files in the repo.
  • Use a separate key per environment and per integration. This limits blast radius and makes rotation surgical.
export EUROMAIL_API_KEY="em_live_your_key_here"
// Node: read from the environment, never inline
const apiKey = process.env.EUROMAIL_API_KEY;

Rotating a key

Rotate on a schedule, and immediately if a key may have leaked:

  1. Create a new key in the dashboard.
  2. Deploy it to the integration (update the environment variable / secret).
  3. Confirm traffic is flowing on the new key.
  4. Delete the old key.

Because each integration has its own key, you rotate one without downtime for the rest. Delete a key via the dashboard or the API:

curl -X DELETE https://api.euromail.dev/v1/api-keys/{id} \
  -H "X-EuroMail-Api-Key: em_live_an_admin_key"

Deletion takes effect immediately across all API replicas. Cached key lookups are invalidated the moment a key is revoked.

If a key leaks

  1. Delete it first, then investigate. A revoked key cannot send.
  2. Review the audit log and analytics for sends you did not make.
  3. Issue a replacement key and redeploy.
  4. If you find unexpected sends, also check your suppression list and domain reputation.

Common errors

ResponseCause
401 UnauthorizedMissing, malformed, or revoked key.
403 ForbiddenValid key, but the account lacks access to that resource.
429 Too Many RequestsRate limit exceeded. Back off and retry.

For the per-account rate limits and how to handle 429, see the Emails API reference.

Send your first email in about 90 seconds

The free tier includes 1,000 emails a month. All data stays in Finland | GDPR compliance without the paperwork.

Create free account See live delivery data