Grosend|Docs
Getting Started
  • Introduction
  • Quick Start
Sending
  • SMTP Relay
  • Authentication
API Reference
  • Overview
  • Send Email
  • Domains
  • Templates
  • API Keys
  • Webhooks
Analytics
  • Tracking
Docs
Getting Started
  • Introduction
  • Quick Start
Sending
  • SMTP Relay
  • Authentication
API Reference
  • Overview
  • Send Email
  • Domains
  • Templates
  • API Keys
  • Webhooks
Analytics
  • Tracking

Authentication

API key management, permissions, and security best practices.

API Key Authentication

All API requests require a Bearer token in the Authorization header:

Header
Authorization: Bearer sv_live_your_api_key

API Key format

Grosend API keys follow the format:

sv_live_[48-character-hex]

SMTP Authentication

For SMTP, use your API key as both username and password:

SMTP Credentials
Username: sv_live_your_key
Password: sv_live_your_key

Session Authentication

The web dashboard uses session-based authentication via NextAuth. Login at send.grosend.com/app.

Two-Factor Authentication (2FA)

2FA is required for all users. After login, you'll be prompted to set up TOTP (e.g., Google Authenticator, Authy).

2FA Endpoints
// Enable 2FA
POST /api/v1/account/2fa/setup

// Verify setup with TOTP code
POST /api/v1/account/2fa/verify
{"code": "123456"}

// Disable 2FA
POST /api/v1/account/2fa/disable
2FA is mandatory. You cannot send emails until 2FA is configured on your account.

Security best practices

  • Never expose API keys in client-side code or public repos
  • Rotate API keys regularly
  • Use separate keys for development and production
  • Monitor API key usage in the dashboard
  • Enable 2FA on your account