Authentication Setup

Brevo provides two authentication methods depending on your use case: API Key authentication for standard API access and MCP Token authentication for AI integrations. This guide covers both methods.

API Key Authentication

Brevo API keys are used for standard REST API access to all Brevo services.

Generate Your API Key

Log in to your Brevo dashboard
Navigate to Settings → API Keys
Click Generate a New API Key
Give your key a descriptive name (e.g., “My App Production”)
Copy and store the key securely (you won’t see it again!)

API Key Security Best Practices

✅ DO

Store keys securely using environment variables
Use different keys for development and production
Rotate keys regularly (every 90 days recommended)
Limit key permissions to only what’s needed
Monitor key usage in your dashboard

❌ DON’T

Never commit keys to version control
Don’t hardcode keys in your application
Don’t share keys via email or chat
Don’t use production keys for testing

Environment Variables

Store your API keys as environment variables:

Linux/macOS (.bashrc or .zshrc)

export BREVO_API_KEY="your_api_key_here"

Windows (Command Prompt)

set BREVO_API_KEY=your_api_key_here

Node.js (.env file)

BREVO_API_KEY=your_api_key_here

// Load from environment
const apiKey = process.env.BREVO_API_KEY;

Python

import os

api_key = os.getenv('BREVO_API_KEY')

PHP

$apiKey = $_ENV['BREVO_API_KEY'];
// or
$apiKey = getenv('BREVO_API_KEY');

Authentication Headers

Include your API key in the request headers:

Standard Header Format

GET /v3/account HTTP/1.1
Host: api.brevo.com
Accept: application/json
api-key: your_api_key_here

JavaScript Example

const headers = {
  'Accept': 'application/json',
  'api-key': process.env.BREVO_API_KEY
};

fetch('https://api.brevo.com/v3/account', { headers })
  .then(response => response.json())
  .then(data => console.log(data));

Python Requests

import requests

headers = {
    'Accept': 'application/json',
    'api-key': os.getenv('BREVO_API_KEY')
}

response = requests.get('https://api.brevo.com/v3/account', headers=headers)

Key Permissions and Scopes

Different API keys can have different permissions:

Read-only: Only GET requests allowed
Send emails: Transactional email permissions
Manage contacts: Create, update, delete contacts
Campaign management: Create and send campaigns
Full access: All API endpoints

Testing Your Authentication

Use this endpoint to verify your authentication works:

curl -X GET "https://api.brevo.com/v3/account" \
  -H "Accept: application/json" \
  -H "api-key: $BREVO_API_KEY"

Success Response (200 OK):

{
  "email": "[email protected]",
  "firstName": "John",
  "lastName": "Doe"
}

Authentication Error (401 Unauthorized):

{
  "code": "unauthorized",
  "message": "Invalid API key provided"
}

Key Rotation

To rotate your API key:

Generate a new key in the dashboard
Update your environment variables with the new key
Deploy your application with the new key
Test thoroughly to ensure everything works
Revoke the old key once confident in the new one

Monitoring API Key Usage

Track your API key usage in the Brevo dashboard:

Requests per day/month
Error rates by endpoint
Geographic usage patterns
Peak usage times

Multiple API Keys Strategy

For larger applications, consider using multiple API keys:

Production: Live customer data and emails
Staging: Pre-production testing
Development: Local development and testing
Monitoring: Health checks and metrics
Third-party: External integrations

MCP Token Authentication

The Brevo Model Context Protocol (MCP) is an AI integration framework that enables AI assistants to interact with Brevo services. MCP uses a separate authentication method via MCP tokens.

What is MCP?

MCP provides standardized AI access to Brevo APIs through:

Transport: HTTPS
Base URL: https://mcp.brevo.com/v1/
Response Format: JSON
Authentication: MCP Token (different from API keys)

Generate Your MCP Token

Log in to your Brevo dashboard
Navigate to Settings → MCP Tokens (or account settings)
Generate a new MCP token
Copy and store the token securely

Note: MCP is currently available only for early access users.

Using MCP Tokens

MCP tokens are used specifically for AI integrations and Model Context Protocol connections:

export BREVO_MCP_TOKEN="your_mcp_token_here"

Include the MCP token in requests to MCP endpoints:

GET /v1/account HTTP/1.1
Host: mcp.brevo.com
Accept: application/json
Authorization: Bearer your_mcp_token_here

MCP vs API Key

Feature	API Key	MCP Token
Use Case	Standard REST API access	AI integration & MCP connections
Base URL	api.brevo.com	mcp.brevo.com
Header	`api-key`	`Authorization: Bearer`
Availability	All users	Early access users

MCP Security Best Practices

Store MCP tokens separately from API keys
Use environment variables for token storage
Rotate tokens regularly
Never commit tokens to version control
Monitor MCP usage in your dashboard

Troubleshooting Authentication

Common API Key Issues

Invalid API Key Format

Keys should be exactly 64 characters long
Check for extra spaces or characters

Permissions Error

Verify your key has the required permissions
Check if the key is active in your dashboard

Rate Limiting

Authentication failures count toward rate limits
Wait before retrying with correct credentials

Geographic Restrictions

Some accounts have IP restrictions
Contact support if you need to whitelist IPs

Common MCP Token Issues

MCP Not Available

Ensure you have early access to MCP features
Contact Brevo support to request access

Invalid Token

Verify token is copied correctly without spaces
Check token hasn’t expired or been revoked

Wrong Base URL

MCP tokens only work with mcp.brevo.com
Don’t use MCP tokens with api.brevo.com endpoints