An Email API Locked Down by Default
Scoped API keys, CIDR-based IP whitelisting, per-key expiry, and Cloudflare WAF in front. A REST email API built for production teams that take credential security seriously.
Most email APIs hand you one master key.
One credential with full access to your contacts, templates, sending domains, and reports. Leak it once — through a committed `.env` file, a compromised CI runner, or a developer machine — and the entire account is exposed. sendmsg.io's API keys are designed to fail safely.
What's actually shipped
No vapor. Every feature below is in production today and visible in the console.
Scoped API Keys
Every key is limited to specific resources — email:send, contacts:read, templates:rw, reports, domains, sender IDs. Issue a key for exactly what each integration needs, nothing more.
CIDR-Based IP Allowlists
Bind each key to specific server IPs or ranges. A leaked credential used from anywhere outside your allowlist is rejected at authentication.
Expiry Dates & Instant Revoke
Set a per-key expiry and rotate credentials on a schedule. Revoke any key instantly from the console — no code change required on our side.
Hashed at Rest
Keys are hashed before storage and never logged in plaintext. The full key is shown to you exactly once at creation time.
Cloudflare WAF Upstream
DDoS protection, bot mitigation, and edge-level rate limiting handled by Cloudflare in front of the API. Abusive traffic is filtered before it reaches our origin.
Bearer Auth + REST
Standard Authorization: Bearer headers, predictable REST endpoints, structured JSON errors with clear codes. The boring parts done right.
Granular scopes, not master keys
Issue each key with the minimum permissions it needs.
email:sendSend transactional or marketing emailcontacts:readRead contact lists and segmentscontacts:writeCreate, update, delete contactstemplates:rwManage email templatesreports:readPull analytics and event datadomains:readList sending domains and DNS statussenderids:readList configured sender identitiesDefense in depth, before your code even runs
Three layers between an attacker and your account. A request has to clear all of them.
Cloudflare WAF
DDoS, bot, and abuse traffic is filtered at the edge before it reaches our origin. Custom hostnames are provisioned through the Cloudflare API.
CIDR Allowlist
If a key has an IP allowlist set, the request's source IP must match a configured CIDR range. Mismatched origins are rejected before scope checks run.
Scope & Expiry
The bearer token is hashed and matched, expiry is checked, and the requested action is verified against the key's granted scopes. Anything outside is denied.
What we don't ship (yet)
We'd rather be honest about what's missing than ship marketing copy for features that don't exist. Today the API does not include:
- •Idempotency keys — coming. For now, keep retry logic on your side and use unique message IDs to dedupe.
- •Public webhook delivery for email events — events are available via the reports API; signed-delivery webhooks for the email surface are on the roadmap.
- •Official SDKs — the API is a thin REST surface usable from any HTTP client. A first-party TypeScript SDK is planned, not shipped.