> ## Documentation Index
> Fetch the complete documentation index at: https://docs.sendkit.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# API Keys

> Create and manage API keys to authenticate your requests to the SendKit API.

## What are API keys?

API keys are how you authenticate requests to the SendKit API. Every API call requires a valid key passed as a Bearer token in the `Authorization` header.

Keys are scoped to your team — any key created by a team member has access to the team's resources (emails, domains, contacts, etc.).

## Creating an API key

Go to **API Keys** in the dashboard and click **Create API Key**.

| Field          | Required | Description                                                                                                                          |
| -------------- | -------- | ------------------------------------------------------------------------------------------------------------------------------------ |
| **Name**       | Yes      | A label to identify the key (e.g., `Production`, `Staging`, `CI/CD`)                                                                 |
| **Permission** | Yes      | Access level for the key. **Full access** grants access to all API endpoints. **Send only** restricts the key to sending emails only |
| **Domain**     | No       | Optionally scope the key to a specific verified domain. When set, the key can only send emails from this domain                      |
| **Expiration** | No       | Optional expiration date. After this date, the key stops working                                                                     |

After creation, the full key is shown **once**. Copy it immediately — you won't be able to see it again.

<Warning>
  SendKit stores a hash of your API key, not the key itself. If you lose it, you'll need to create a new one.
</Warning>

## Key format

All SendKit API keys follow the format:

```
sk_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
```

Keys start with `sk_` followed by 48 random characters (51 characters total).

## Using your API key

Pass the key as a Bearer token in the `Authorization` header on every API request. See the [API Reference](/api-reference/introduction) for examples and interactive testing.

For the [Laravel SDK](/sdks/laravel), just set the `SENDKIT_API_KEY` environment variable and you're ready to go.

## Expiration

API keys can be created with or without an expiration date:

* **No expiration** — The key remains active until you delete it
* **With expiration** — The key automatically becomes inactive after the set date. Requests made with an expired key return a `401` error

Expired keys are not deleted — they stay visible in the dashboard so you can track usage history. You can delete them manually when no longer needed.

## Security best practices

<Steps>
  <Step title="Use separate keys per environment">
    Create different keys for production, staging, and development. If a key is compromised, you only need to rotate one.
  </Step>

  <Step title="Set expiration for temporary access">
    If you're sharing a key with a contractor or CI/CD pipeline, set an expiration date so it automatically stops working.
  </Step>

  <Step title="Never commit keys to source control">
    Store keys in environment variables or secret managers. Never hardcode them in your codebase.
  </Step>

  <Step title="Rotate keys periodically">
    Create a new key, update your application, then delete the old one. SendKit tracks `last used at` so you can verify the old key is no longer in use before deleting it.
  </Step>
</Steps>

## Deleting an API key

You can delete an API key at any time from the dashboard. Deletion is **immediate and irreversible** — any application still using the key will start receiving `401` errors.

Check the **Last used** column before deleting to make sure the key isn't actively in use.

## FAQ

<AccordionGroup>
  <Accordion title="How many API keys can I create?">
    There's no limit. Create as many keys as you need for different environments, services, or team members.
  </Accordion>

  <Accordion title="Can I see the full key after creation?">
    No. The full key is only shown once at creation time. SendKit stores a secure hash, not the original key. If you lose it, create a new one.
  </Accordion>

  <Accordion title="Do all team members share the same API keys?">
    Yes. API keys belong to the team, not individual users. Any key created by a team member can be used to access the team's resources.
  </Accordion>

  <Accordion title="What happens if I use an expired key?">
    The API returns a `401 Unauthorized` error. Create a new key or remove the expiration from the existing one.
  </Accordion>
</AccordionGroup>
