How authentication works
Every request to the EuroMail API is authenticated with an API key. A key looks
like em_live_ followed by 32 random characters. You can present it two ways.
use whichever your HTTP client makes easiest:
# Custom header (recommended)
curl https://api.euromail.dev/v1/emails \
-H "X-EuroMail-Api-Key: em_live_your_key_here"
# Standard Authorization header
curl https://api.euromail.dev/v1/emails \
-H "Authorization: Bearer em_live_your_key_here"
Keys are scoped to a single account (or sub-account). The dashboard session and the API key are independent credentials. The key never expires on its own; it is valid until you delete it.
Creating a key
Create keys from the API Keys page in the
dashboard. At creation time, give the key a
descriptive name that records where it will be used. production-backend,
ci-tests, zapier, so you can later revoke exactly one integration without
disturbing the others.
The full key is shown only once, at creation. EuroMail stores only a hash, so it can never display the secret again. Copy it into your secret manager immediately. If you lose it, delete the key and create a new one.
Storing keys safely
- Never commit keys to source control or embed them in front-end code, mobile apps, or anything that ships to a browser. A key is a bearer credential: whoever holds it can send mail as your account.
- Load keys from environment variables or a secret manager (Vault, AWS/GCP secret stores, Doppler), not from config files in the repo.
- Use a separate key per environment and per integration. This limits blast radius and makes rotation surgical.
export EUROMAIL_API_KEY="em_live_your_key_here"// Node: read from the environment, never inline
const apiKey = process.env.EUROMAIL_API_KEY;Rotating a key
Rotate on a schedule, and immediately if a key may have leaked:
- Create a new key in the dashboard.
- Deploy it to the integration (update the environment variable / secret).
- Confirm traffic is flowing on the new key.
- Delete the old key.
Because each integration has its own key, you rotate one without downtime for the rest. Delete a key via the dashboard or the API:
curl -X DELETE https://api.euromail.dev/v1/api-keys/{id} \
-H "X-EuroMail-Api-Key: em_live_an_admin_key"
Deletion takes effect immediately across all API replicas. Cached key lookups are invalidated the moment a key is revoked.
If a key leaks
- Delete it first, then investigate. A revoked key cannot send.
- Review the audit log and analytics for sends you did not make.
- Issue a replacement key and redeploy.
- If you find unexpected sends, also check your suppression list and domain reputation.
Common errors
| Response | Cause |
|---|---|
401 Unauthorized | Missing, malformed, or revoked key. |
403 Forbidden | Valid key, but the account lacks access to that resource. |
429 Too Many Requests | Rate limit exceeded. Back off and retry. |
For the per-account rate limits and how to handle 429, see the
Emails API reference.