send0

Authentication

Authenticate your API requests with API keys.

Authentication

All API requests to send0 require authentication via an API key. Include your key in the Authorization header as a Bearer token.

API key types

PrefixTypeDescription
sk_live_ProductionReal sends, production data
sk_test_TestSandbox mode, no real delivery
sk_restr_RestrictedScoped permissions for specific operations

Production keys (sk_live_) send real emails to real inboxes. Use these in your production environment only.

Test keys (sk_test_) simulate the full API flow without sending real emails. Use these during development and in CI/CD pipelines.

Restricted keys (sk_restr_) are scoped to specific permissions. Use these when you need to grant limited access — for example, a key that can only send emails but cannot manage domains or contacts.

Using the SDK

Pass your API key when initializing the SDK.

import { Send0 } from 'send0';

const send0 = new Send0('sk_live_...');

The SDK includes the Authorization header automatically on every request.

Using curl

Include the Authorization header with the Bearer prefix.

curl https://api.send0.dev/v1/emails \
  -H "Authorization: Bearer sk_live_..."

Security

API keys are hashed with SHA-256 before storage. send0 never stores your key in plain text. This means:

  • You can only see the full key once — at creation time.
  • If you lose a key, you must revoke it and create a new one.
  • Even if our database were compromised, your keys would remain safe.

Best practices

  • Never expose keys in client-side code. API keys should only be used in server-side environments. Embedding a key in a browser or mobile app exposes it to anyone who inspects the source.
  • Use environment variables. Store your key in an environment variable like SEND0_API_KEY and reference it in code.
const send0 = new Send0(process.env.SEND0_API_KEY!);
  • Use test keys in development. Always use sk_test_ keys during development and testing. They behave identically to production keys but never send real emails.
  • Use restricted keys for third-party integrations. If you're giving access to a service or contractor, create a restricted key with only the permissions they need.
  • Rotate keys regularly. You can create and revoke keys at any time from the dashboard.

Managing keys

Create, view, and revoke API keys from the dashboard at app.send0.dev under Settings > API Keys.

When you revoke a key, all requests using that key will immediately return a 401 invalid_api_key error.

Quickstart

Send your first email in under 5 minutes.

Error Handling

Understand error responses and handle them gracefully.

On this page

AuthenticationAPI key typesUsing the SDKUsing curlSecurityBest practicesManaging keys