Authentication
API key management, permissions, and security best practices.
API Key Authentication
All API requests require a Bearer token in the Authorization header:
API Key format
Grosend API keys follow the format:
sv_live_[48-character-hex]
SMTP Authentication
For SMTP, use your API key as both username and password:
Session Authentication
The web dashboard uses session-based authentication via NextAuth. Login at send.grosend.com/app.
Two-Factor Authentication (2FA)
2FA is required for all users. After login, you'll be prompted to set up TOTP (e.g., Google Authenticator, Authy).
2FA is mandatory. You cannot send emails until 2FA is configured on your account.
Security best practices
- Never expose API keys in client-side code or public repos
- Rotate API keys regularly
- Use separate keys for development and production
- Monitor API key usage in the dashboard
- Enable 2FA on your account