What authentication methods does Sendinblue support?

Sendinblue primarily supports API key authentication for accessing its API. You generate these keys from your account dashboard and include them in the 'api-key' HTTP header for all requests.

How do I generate an API key for Sendinblue?

Log into your Sendinblue account, navigate to the 'SMTP & API' section, and then select the option to generate a new API key. Remember to copy and store it securely as it's shown only once.

Where should I store my Sendinblue API key?

API keys should be stored securely, ideally in environment variables or a dedicated secret management service. Avoid hardcoding keys directly into your application's source code or committing them to public repositories.

Can I restrict who uses my Sendinblue API key?

Yes, Sendinblue allows you to restrict the usage of an API key to specific IP addresses. This enhances security by preventing unauthorized access even if the key is compromised.

Do Sendinblue API keys expire?

Sendinblue API keys do not automatically expire. However, it is a recommended security practice to regularly rotate your keys by generating new ones and revoking old ones.

What happens if my Sendinblue API key is compromised?

If your API key is compromised, immediately revoke it from your Sendinblue account dashboard and generate a new one. Review your API usage logs for any unauthorized activity.

Sendinblue Authentication: API Keys & Security Best Practices

Sendinblue authentication: The Sendinblue API primarily uses API keys for secure access. These keys are generated within the user account dashboard and must be included in the `api-key` header of all API requests. This method provides a direct way to authenticate applications and services interacting with Sendinblue's email, SMS, and marketing automation functionalities.

Authentication overview

Authentication for the Sendinblue (now Brevo) API is a fundamental step for any application or service seeking to programmatically interact with its features, such as sending emails, managing contacts, or triggering marketing automation workflows. The platform primarily relies on API keys for authenticating requests, a common and straightforward method for securing access to web APIs. This approach ensures that only authorized applications holding a valid key can perform operations on behalf of a Sendinblue account.

When an application makes a request to the Sendinblue API, it must include a unique API key. The API then validates this key against its records to confirm the sender's identity and permissions. This mechanism helps protect user data and prevents unauthorized access to Sendinblue services. Understanding how to generate, manage, and securely use these API keys is crucial for developers building integrations with Sendinblue. The Sendinblue developer documentation provides comprehensive guides for various programming languages, facilitating the integration process by offering code examples and detailed explanations of API endpoints and their required authentication parameters.

Supported authentication methods

Sendinblue's API primarily supports API key authentication. This method involves generating a unique alphanumeric string (the API key) from your Sendinblue account dashboard. This key then acts as a credential, allowing your application to send requests to the API on your behalf. Each API key is associated with your account and inherits its permissions, making key management a critical security consideration.

The API key must be transmitted securely with every API request. For the Sendinblue API, this is typically done by including the API key in the api-key HTTP header of your request. This method is widely adopted for its simplicity and effectiveness in securing API access, especially for server-to-server communication where a user's direct interaction is not required for each transaction.

Authentication Method Summary

Method	When to Use	Security Level
API Key (v3)	Server-to-server communication, backend applications, scripts accessing Sendinblue services.	Moderate to High (dependent on key management practices).

Getting your credentials

To obtain an API key for authenticating with the Sendinblue API, follow these steps within your Sendinblue account:

Log in to your Sendinblue account: Access your Sendinblue (now Brevo) dashboard through your web browser.
Navigate to SMTP & API: Once logged in, go to the SMTP & API section. This is usually found under your account settings or profile menu. The exact navigation path might be SMTP & API or Integrations & API, as detailed in the Sendinblue API Key documentation.
Generate a new API key: On the SMTP & API page, you will find an option to generate a new API key. Click this button.
Name your API key: Provide a descriptive name for your API key. This helps in identifying the key's purpose later, especially if you manage multiple keys for different applications or environments (e.g., 'My CRM Integration', 'Dev Environment API Key').
Copy the API key: After generation, Sendinblue will display your new API key. It is crucial to copy this key immediately and store it securely, as it will only be shown once. If you lose it, you will need to generate a new one.
Restrict IP addresses (Optional but Recommended): For enhanced security, Sendinblue allows you to restrict the IP addresses that can use a specific API key. If your application operates from a fixed set of IP addresses, configuring this restriction can prevent unauthorized use even if the key is compromised.

It is recommended to generate separate API keys for different applications or environments (e.g., development, staging, production) to facilitate easier key rotation and revocation if a key is compromised. Always treat your API keys as sensitive credentials.

Authenticated request example

After obtaining your API key, you can use it to authenticate your requests to the Sendinblue API. The key must be included in the api-key HTTP header for every request. Below is an example of how to send an authenticated request using curl to send a transactional email.

This example demonstrates sending a simple email using the /smtp/email endpoint, as outlined in the Sendinblue transactional email API reference.


curl -X POST \ 
  https://api.brevo.com/v3/smtp/email \ 
  -H 'accept: application/json' \ 
  -H 'api-key: YOUR_API_KEY' \ 
  -H 'content-type: application/json' \ 
  -d '{ 
    "sender": {"name": "Sender Name", "email": "[email protected]"}, 
    "to": [{"email": "[email protected]", "name": "Recipient Name"}], 
    "subject": "My first transactional email", 
    "htmlContent": "<html><head></head><body><p>Hello world! This is my first transactional email sent with Brevo.</p></body></html>"
  }'

Replace YOUR_API_KEY with the actual API key you generated from your Sendinblue account. The -H 'api-key: YOUR_API_KEY' part of the command is where the authentication credential is provided. The api-key header is a standard practice for API key authentication, as described in web security guidelines for API authentication.

For programmatic integrations, Sendinblue provides official SDKs for various languages including Node.js, Ruby, PHP, Python, Java, and Go. These SDKs abstract away the HTTP request details, allowing developers to focus on application logic while handling authentication internally.

Security best practices

Securing your Sendinblue API keys and ensuring the integrity of your API interactions is crucial. Adhering to security best practices helps protect your account from unauthorized access and potential misuse. These practices are generally applicable to any API key-based authentication system.

API Key Management

Treat API keys as passwords: Your API keys grant full access to your Sendinblue account's API capabilities. Never embed them directly in client-side code, commit them to public version control systems, or expose them in publicly accessible areas.
Use environment variables: Store API keys in environment variables or a secure secret management service (e.g., AWS Secrets Manager, Google Cloud Secret Manager, Azure Key Vault) rather than hardcoding them in your application's source code. This practice prevents keys from being exposed if your codebase is compromised.
Regular key rotation: Periodically generate new API keys and revoke old ones. This minimizes the window of opportunity for a compromised key to be exploited. Sendinblue allows you to generate new keys from your dashboard.
Least privilege principle: If Sendinblue offered granular permissions for API keys (which it primarily does not for the main API key), you would ideally create keys with only the necessary permissions for the specific task they perform. While Sendinblue's primary API keys are broad, this principle remains important for general API security.
IP Whitelisting: Utilize Sendinblue's feature to restrict API key usage to specific IP addresses. If your application operates from a static IP, this adds a significant layer of security, preventing the key from being used from unauthorized locations even if stolen.

Secure Communication

Always use HTTPS: All communication with the Sendinblue API must occur over HTTPS (HTTP Secure). This encrypts data in transit, protecting your API key and other sensitive information from interception. Sendinblue enforces HTTPS for all API endpoints.
Validate SSL certificates: Ensure that your application is configured to validate SSL/TLS certificates when making API requests. This prevents man-in-the-middle attacks where an attacker might try to impersonate the Sendinblue API.

Error Handling and Logging

Monitor API usage: Regularly review your Sendinblue account's API usage logs for any unusual activity that might indicate a compromised key or unauthorized access.
Implement robust error handling: Design your application to gracefully handle API errors, including authentication failures. Avoid logging API keys or other sensitive information in error messages or application logs.

Code and Infrastructure Security

Secure your development environment: Ensure that your development machines and build servers are secure and free from malware that could compromise your credentials.
Dependency security: Regularly update your application's dependencies and libraries to patch any known security vulnerabilities that could indirectly expose your API keys.

Sendinblue Authentication: API Keys & Security Best Practices

Authentication overview

Supported authentication methods

Authentication Method Summary

Getting your credentials

Authenticated request example

Security best practices

API Key Management

Secure Communication

Error Handling and Logging

Code and Infrastructure Security

Frequently asked questions

Reviews

Discussion

Written by