Authentication
Risu Mail uses API keys to authenticate requests. Every request to our V1 API must include a valid Authorization header using the Bearer token scheme.
Bearer Token Authentication
All API requests must be transmitted over HTTPS. To authenticate, include an 'Authorization' header with your secret key.
Format: Authorization: Bearer [YOUR_API_KEY]
API Key Scopes
Scopes allow you to limit the potential damage if a key is compromised. We recommend the Principle of Least Privilege:
- mail_api: Grants access to /v1/emails, /v1/instant-mail, and /v1/queue-mail. Essential for all sending tasks.
- server_otp: Exclusive access to the backend OTP verification engine. Should never be used on client machines.
- analytics_read: Read-only access to delivery logs, bounce metrics, and click tracking data.
- forms_manage: Allows for programmatic CRUD operations on your Bento and Hosted forms.
Security Best Practices
Environment Secrets: Never hardcode keys. Use .env files or secret managers.
Key Rotation: We recommend rotating your keys every 90 days. You can have multiple active keys to allow for a zero-downtime rollover.
IP Whitelisting: For production servers, restrict API key usage to specific static IP addresses in the dashboard security settings.
Ready to integrate?
Start building with our free tier and follow our detailed API contract.