Skip to main content

Overview

AutoSend uses API Key authentication with Bearer tokens. Every API request must include your API key in the Authorization header. AutoSend has two types of API keys, each with different scope and purpose.

Key Types

  • Project API Key (AS_...): Scoped to a single project. Use this for sending emails, managing contacts, templates, campaigns, and all day-to-day operations. This is the right choice for most integrations.
  • Account API Key (ASA_...): Cross-project scope. Use this when you need to programmatically create, update, or delete projects - for example, when building a multi-tenant platform. All requests made with an Account API Key require an x-project-id header to specify the target project, except when creating a new project.

Creating an API Key

2

Generate a New API Key

A modal will open where you:
API Keys dashboard showing list of API keys
  1. Enter a descriptive name (e.g. Production, Staging, Multi-tenant Service)
  2. Select the key type: Account API Key or Project API Key
  3. If you selected Project API Key: choose which project this key belongs to
Click “Generate”.
3

Save Your API Key Secret

After generation, your API Key Secret is shown once:
For security reasons, the API key secret is only shown once during creation. You will NOT be able to view it again.
  • Copy the key immediately to your clipboard
  • Store it securely in a password manager or secrets vault
  • Download the .txt file as a backup
  • Never commit API keys to version control
  • Never share your API key publicly or in client-side code

API Key Formats

AutoSend API keys follow these formats depending on the type: 
ASA_[secret_string]   ← Account API Key
AS_[secret_string]    ← Project API Key
  • ASA: Prefix for Account-scoped keys
  • AS: Prefix for Project-scoped keys
  • secret_string: Cryptographically secure alphanumeric characters

Making Authenticated Requests

Include your API key in the Authorization header of every request.

Project API Key

Authorization: Bearer AS_your_project_api_key

curl -X POST https://api.autosend.com/v1/mails/send \
  -H "Authorization: Bearer AS_your_project_api_key" \
  -H "Content-Type: application/json" \
  -d '{
    "to": {
      "email": "[email protected]"
    },
    "from": {
      "email": "[email protected]"
    },
    "subject": "Test Email",
    "html": "<p>Hello World!</p>"
  }'

Account API Key

Account API Keys require an additional x-project-id header on all requests, so AutoSend knows which project to operate on. 
Authorization: Bearer ASA_your_account_api_key
x-project-id: your_project_id
The x-project-id header is not required when creating a new project, since no project exists yet to target.
To find your Project ID, go to Project Settings > General and copy it from the Project Info section.
curl -X POST https://api.autosend.com/v1/mails/send \
  -H "Authorization: Bearer ASA_your_account_api_key" \
  -H "x-project-id: your_project_id" \
  -H "Content-Type: application/json" \
  -d '{
    "to": {
      "email": "[email protected]"
    },
    "from": {
      "email": "[email protected]"
    },
    "subject": "Test Email",
    "html": "<p>Hello World!</p>"
  }'

Choosing the Right API Key

  • Use a Project API Key for everyday operations: sending emails, managing contacts, templates, campaigns, and webhooks within a specific project. This is the right key for most integrations.
  • Use an Account API Key only when managing projects themselves - for example, when building a multi-tenant platform that automatically provisions new projects for each of your customers.

Managing API Keys

Viewing API Keys

In your dashboard under Account > API Keys, you can see:
  • API Key Name: the label you assigned
  • Type: Account or Project
  • Project: the associated project (Project API Keys only)
  • Generated On: creation date
Note: You cannot view the secret after creation. Only the key ID is visible.

Deleting API Keys

To delete an API key:
  1. Go to Account > API Keys
  2. Find the key you want to delete
  3. Click the trash icon
  4. Confirm the deletion
When you delete an API key, it stops working immediately. Any applications or services using that key will start receiving authentication errors. Make sure to update your applications before deleting keys.

Best Practices for API Key Management

  1. Use Environment Variables 
    # .env file
AUTOSEND_API_KEY=AS_your_project_api_key
AUTOSEND_ACCOUNT_API_KEY=ASA_your_account_api_key
AUTOSEND_PROJECT_ID=your_project_id
    Never hardcode API keys in your source code.
  2. Separate Keys for Different Environments
    • Create separate Project API Keys for development, staging, and production
    • Use descriptive names: Production, Staging, Development
    • This allows you to rotate keys without affecting other environments
  3. Rotate Keys Regularly
    • Generate new keys periodically (every 90 days recommended)
    • Update your applications with the new key
    • Delete the old key after confirming the new one works
  4. Limit Key Exposure
    • Never commit keys to version control
    • Don’t include keys in client-side JavaScript
    • Use secrets management services (AWS Secrets Manager, HashiCorp Vault, etc.)
    • Add API keys to .gitignore: 
      .env
.env.local
config/secrets.json

Authentication Errors

Error Response:
{
	"success": false,
	"message": "Unauthorized"
}
Common Causes:
  • Missing Authorization header
  • Invalid API key format
  • Expired or deleted API key
  • API key not properly prefixed with “Bearer ”
Solutions:
  • Verify the Authorization header is present
  • Check that your API key is correct and hasn’t been deleted
  • Ensure the format is: Authorization: Bearer YOUR_API_KEY
  • Confirm there’s a space after “Bearer”
Error Response:
{
	"success": false,
	"message": "Forbidden"
}
Common Causes:
  • API key doesn’t have access to the requested resource
  • Using a Project API Key to access a different project’s resources
  • Missing x-project-id header when using an Account API Key
Solutions:
  • Verify you’re using the correct API key for the project
  • If using an Account API Key, ensure the x-project-id header is present and correct
  • Check that the resource (domain, template, etc.) exists in the target project

Keep Your API Keys Secret

API keys provide full access to your AutoSend account and should be treated like passwords:
  • Never share API keys in public forums, support tickets, or chat
  • Don’t include keys in screenshots or screen recordings
  • Revoke keys immediately if exposed
HTTPS OnlyAlways use HTTPS when making API requests. AutoSend APIs reject non-HTTPS requests to protect your API keys from interception.

Rate Limiting

API keys are subject to rate limits:
  • 2 requests per second per API key
  • 50 requests per minute per API key
Exceeding these limits returns a 429 Too Many Requests error. See the API Reference for more details.