OOpenSend Docs
Docs navigationBrowse documentation216
OverviewStart here

OpenSend docs

How to handle API keys

API keys are bearer credentials. Anyone with a valid key can call the OpenSend API within that key's permissions and restrictions.

Raw markdown

Storage

  • Store keys in a server-side secret manager or environment variable.
  • Never commit keys to git.
  • Never expose keys in browser bundles, mobile apps, logs, analytics, or support screenshots.
  • Use separate keys for local, staging, CI, and production.

Rotation

Create a new key, deploy it, confirm traffic is using it, then revoke the old key. Rotate immediately after an employee offboards, a repository leak, or a suspicious support incident.

Restrictions

Use domain-restricted keys when an integration should only send from one domain. Keep high-privilege management keys out of application runtime code when a narrower sending key is enough.

Incident response

If a key leaks, revoke it first. Then inspect logs for unusual sends, new domains, API key changes, broadcast activity, and suppression changes.