Skip to main content

Overview

AutoSend uses API Key authentication with Bearer tokens. Every API request must include your API key in the Authorization header. API keys are tied to a specific project and provide access to all resources within that project.

Creating an API Key

Follow these steps to generate a new API key from your AutoSend dashboard:

Step 1: Navigate to API Keys Settings

  1. Log in to your AutoSend dashboard
  2. Select your project from the project dropdown (if you have multiple projects)
  3. Go to Settings > API Keys in the sidebar

Step 2: Generate New API Key

  1. Click the “Generate API Key” button in the top-right corner
  2. Enter a descriptive name for your API key:
    • Use names that describe the purpose or environment (e.g., “Production”, “Staging”, “Development”, “Marketing Automation”)
    • This helps you identify and manage multiple keys
  3. Click “Generate”

Step 3: Save Your API Key Secret

After generation, you’ll see your API Key Secret displayed once:
For security reasons, the API key secret is only shown once during creation. You will NOT be able to view it again.
  • Copy the key immediately to your clipboard
  • Store it securely (password manager, environment variables, secrets management system)
  • Download the .txt file as a backup
  • Never commit API keys to version control (Git, SVN, etc.)
  • Never share your API key publicly or in client-side code
Your API key will look like this: 
as_demo_your_api_key_here

API Key Format

AutoSend API keys follow this format: 
as_[secret_string]
  • as - Prefix identifying AutoSend keys
  • secret_string - Cryptographically secure alphanumeric characters

Making Authenticated Requests

Include your API key in the Authorization header of every request using the Bearer authentication scheme:

HTTP Header Format

Authorization: Bearer YOUR_API_KEY

curl -X POST https://api.autosend.com/v1/mails/send \
  -H "Authorization: Bearer as_demo_your_api_key_here" \
  -H "Content-Type: application/json" \
  -d '{
    "to": {
      "email": "[email protected]"
    },
    "from": {
      "email": "[email protected]"
    },
    "subject": "Test Email",
    "html": "<p>Hello World!</p>"
  }'

Managing API Keys

Viewing API Keys

In your dashboard under Settings > API Keys, you can see:
  • API Key Name - The label you assigned
  • API Key ID - A unique identifier for the key
  • Generated On - Creation date
Note: You cannot view the secret after creation. Only the key ID is visible.

Deleting API Keys

To delete an API key:
  1. Go to Settings > API Keys
  2. Find the API key you want to delete
  3. Click the three-dot menu icon
  4. Select “Delete”
  5. Confirm the deletion
When you delete an API key, it stops working immediately. Any applications or services using that key will start receiving authentication errors. Make sure to update your applications before deleting keys.

Best Practices for API Key Management

  1. Use Environment Variables 
    # .env file
AUTOSEND_API_KEY=as_live_your_api_key_here
    Never hardcode API keys in your source code.
  2. Separate Keys for Different Environments
    • Create separate keys for development, staging, and production
    • Use descriptive names: “Production API Key”, “Staging API Key”
    • This allows you to rotate keys without affecting other environments
  3. Rotate Keys Regularly
    • Generate new keys periodically (every 90 days recommended)
    • Update your applications with the new key
    • Delete the old key after confirming the new one works
  4. Limit Key Exposure
    • Never commit keys to version control
    • Don’t include keys in client-side JavaScript
    • Use secrets management services (AWS Secrets Manager, HashiCorp Vault, etc.)
    • Add API keys to .gitignore: 
      .env
.env.local
config/secrets.json

Authentication Errors

401 Unauthorized

Error Response: 
{
  "success": false,
  "message": "Unauthorized"
}
Common Causes:
  • Missing Authorization header
  • Invalid API key format
  • Expired or deleted API key
  • API key not properly prefixed with “Bearer ”
Solutions:
  • Verify the Authorization header is present
  • Check that your API key is correct and hasn’t been deleted
  • Ensure the format is: Authorization: Bearer YOUR_API_KEY
  • Confirm there’s a space after “Bearer”

403 Forbidden

Error Response: 
{
  "success": false,
  "message": "Forbidden"
}
Common Causes:
  • API key doesn’t have access to the requested resource
  • API key belongs to a different project
Solutions:
  • Verify you’re using the correct API key for the project
  • Check that the resource (domain, template, etc.) exists in the project

Security Considerations

Keep Your API Keys Secret

API keys provide full access to your AutoSend account and should be treated like passwords:
  • Never share API keys in public forums, support tickets, or chat
  • Don’t include keys in screenshots or screen recordings
  • Revoke keys immediately if exposed
  • Use read-only keys when possible (future feature)

HTTPS Only

Always use HTTPS when making API requests. AutoSend APIs reject non-HTTPS requests to protect your API keys from interception.

Rate Limiting

API keys are subject to rate limits:
  • 2 requests per second per API key
  • 50 requests per minute per API key
Exceeding these limits returns a 429 Too Many Requests error. See the API Reference for more details.