Authentication
All requests to the Sendiee API require authentication via a Bearer token. Include your API key in the Authorization header of every request.
Bearer Token Authentication
Every request to /v2.0/* endpoints must include an Authorization header with a valid Bearer token:
curl -X GET https://api.sendiee.com/v2.0/contacts \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json"Key Types
Sendiee supports two kinds of API keys. Both authenticate the same way — the only difference is what they are allowed to do:
- Scoped keys (recommended) — start with
sk_and carry an explicit list of permissions. Create one per integration with only the scopes it needs. See API Key Scopes. - Legacy key — a single full-access key. Existing legacy keys keep working unchanged, but the legacy key is planned for deprecation — prefer scoped keys for new integrations.
Where to Find Your API Key
- Log in to your Sendiee Dashboard
- Navigate to API & Webhooks → API Keys
- Click Create key, give it a label, and select the scopes the app needs
- Copy or download your key immediately — scoped keys are shown only once and stored hashed
Keep Your API Key Secure
Never expose your API key in client-side code, public repositories, or browser-accessible locations — treat it like a password. Use scoped keys to limit what a leaked key could do: a key with only the scopes it needs has a far smaller blast radius than a full-access key.
Domain Whitelisting
If you plan to make API calls from a browser (client-side JavaScript), the requesting domain must be whitelisted in your Sendiee dashboard under Settings → API → Whitelisted Domains.
This is an additional security measure. Requests from non-whitelisted domains will receive a DOMAIN_NOT_WHITELISTED error.
Server-Side Recommended
For production applications, we strongly recommend making API calls from your server-side code. This keeps your API key secure and avoids CORS restrictions.
Authentication Error Codes
Error Responses
| Parameter | Type | Description |
|---|---|---|
| API_KEY_MISSING | string | HTTP 401 — No API key was provided in the Authorization header. |
| INVALID_API_KEY | string | HTTP 401 — The API key does not exist or has been revoked. |
| ORG_INACTIVE | string | HTTP 403 — Your organisation account is inactive. Contact Sendiee support. |
| DOMAIN_NOT_WHITELISTED | string | HTTP 403 — The request origin domain is not in your allowed domains list. |
| INSUFFICIENT_SCOPE | string | HTTP 403 — The scoped API key does not include the scope this endpoint requires. The response's required_scope field names the missing scope. See API Key Scopes. |