Authentication

All requests to the Sendiee API require authentication via a Bearer token. Include your API key in the Authorization header of every request.

Bearer Token Authentication

Every request to /v2.0/* endpoints must include an Authorization header with a valid Bearer token:

curl -X GET https://api.sendiee.com/v2.0/contacts \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json"

Key Types

Sendiee supports two kinds of API keys. Both authenticate the same way — the only difference is what they are allowed to do:

  • Scoped keys (recommended) — start with sk_ and carry an explicit list of permissions. Create one per integration with only the scopes it needs. See API Key Scopes.
  • Legacy key — a single full-access key. Existing legacy keys keep working unchanged, but the legacy key is planned for deprecation — prefer scoped keys for new integrations.

Where to Find Your API Key

  1. Log in to your Sendiee Dashboard
  2. Navigate to API & Webhooks → API Keys
  3. Click Create key, give it a label, and select the scopes the app needs
  4. Copy or download your key immediately — scoped keys are shown only once and stored hashed

Domain Whitelisting

If you plan to make API calls from a browser (client-side JavaScript), the requesting domain must be whitelisted in your Sendiee dashboard under Settings → API → Whitelisted Domains.

This is an additional security measure. Requests from non-whitelisted domains will receive a DOMAIN_NOT_WHITELISTED error.

Authentication Error Codes

Error Responses

ParameterTypeDescription
API_KEY_MISSINGstringHTTP 401 — No API key was provided in the Authorization header.
INVALID_API_KEYstringHTTP 401 — The API key does not exist or has been revoked.
ORG_INACTIVEstringHTTP 403 — Your organisation account is inactive. Contact Sendiee support.
DOMAIN_NOT_WHITELISTEDstringHTTP 403 — The request origin domain is not in your allowed domains list.
INSUFFICIENT_SCOPEstringHTTP 403 — The scoped API key does not include the scope this endpoint requires. The response's required_scope field names the missing scope. See API Key Scopes.