On this page

API Keys

API keys are the primary method for authenticating with the Brevo API. They provide a simple and secure way to access your account programmatically.

What are API Keys?

API keys are unique identifiers that authenticate your application when making requests to the Brevo API. Each key is a 64-character string that serves as both an identifier and a password.

Example API key: xkeysib-a1b2c3d4e5f6789012345678901234567890abcdef1234567890abcdef123456-Ab1Cd2Ef3Gh4

Generating API Keys

Step-by-Step Guide

  1. Log into Brevo: Access your Brevo dashboard
  2. Navigate to Settings: Click on your profile → Settings
  3. Go to API Keys: Select “API Keys” from the left menu
  4. Create New Key: Click “Generate a New API Key”
  5. Name Your Key: Give it a descriptive name (e.g., “Production App”, “Development Testing”)
  6. Set Permissions: Choose the appropriate access level
  7. Generate: Click “Generate” and copy the key immediately

API Key Naming Conventions

Use descriptive names that help you identify the key’s purpose:

  • production-web-app
  • staging-environment
  • mobile-app-ios
  • webhook-listener
  • data-sync-service

API Key Types and Permissions

Full Access Keys 

Permissions: All API endpoints
Use cases: Complete application integration
Risk level: High - protect carefully

Read-Only Keys 

Permissions: GET requests only
Use cases: Analytics, reporting, dashboards
Risk level: Low - limited access

Send-Only Keys 

Permissions: Transactional email sending
Use cases: Application notifications, receipts
Risk level: Medium - can send emails

Contact Management Keys 

Permissions: Contact CRUD operations
Use cases: CRM integrations, form submissions
Risk level: Medium - data modification

Using API Keys

Header Authentication

Include your API key in the api-key header:

GET /v3/account HTTP/1.1
Host: api.brevo.com
Accept: application/json
Content-Type: application/json
api-key: YOUR_API_KEY

Code Examples

JavaScript/Node.js 

const brevo = require('@brevo/api');


const apiInstance = new brevo.AccountApi();
apiInstance.setApiKey(brevo.AccountApiApiKeys.apiKey, process.env.BREVO_API_KEY);


// Make authenticated request
apiInstance.getAccount()
  .then(data => console.log('Account info:', data))
  .catch(error => console.error('Error:', error));

Python 

import sib_api_v3_sdk
from sib_api_v3_sdk.rest import ApiException


# Configure API key
configuration = sib_api_v3_sdk.Configuration()
configuration.api_key['api-key'] = 'YOUR_API_KEY'


# Create API instance
api_instance = sib_api_v3_sdk.AccountApi(sib_api_v3_sdk.ApiClient(configuration))


try:
    # Get account info
    api_response = api_instance.get_account()
    print(api_response)
except ApiException as e:
    print("Exception when calling AccountApi->get_account: %s\n" % e)

PHP 

<?php
require_once(__DIR__ . '/vendor/autoload.php');


// Configure API key
$config = SendinBlue\Client\Configuration::getDefaultConfiguration()->setApiKey('api-key', 'YOUR_API_KEY');


// Create API instance
$apiInstance = new SendinBlue\Client\Api\AccountApi(
    new GuzzleHttp\Client(),
    $config
);


try {
    $result = $apiInstance->getAccount();
    print_r($result);
} catch (Exception $e) {
    echo 'Exception when calling AccountApi->getAccount: ', $e->getMessage(), PHP_EOL;
}
?>

Ruby 

require 'sib-api-v3-sdk'


# Configure API key
SibApiV3Sdk.configure do |config|
  config.api_key['api-key'] = 'YOUR_API_KEY'
end


# Create API instance
api_instance = SibApiV3Sdk::AccountApi.new


begin
  # Get account info
  result = api_instance.get_account
  puts result
rescue SibApiV3Sdk::ApiError => e
  puts "Exception when calling AccountApi->get_account: #{e}"
end

API Key Security

Secure Storage

Environment Variables (Recommended)

Terminal window
# .env file
BREVO_API_KEY=xkeysib-your-api-key-here


# Usage in code
const apiKey = process.env.BREVO_API_KEY;

Cloud Secret Managers

  • AWS Secrets Manager
  • Google Secret Manager
  • Azure Key Vault
  • HashiCorp Vault

Security Best Practices

  1. Never Hardcode Keys

    // ❌ Bad - hardcoded
    const apiKey = "xkeysib-a1b2c3d4...";
    

    // ✅ Good - environment variable
    const apiKey = process.env.BREVO_API_KEY;

  2. Use Different Keys per Environment

    Production:  BREVO_API_KEY_PROD
    Staging:     BREVO_API_KEY_STAGING
    Development: BREVO_API_KEY_DEV

  3. Rotate Keys Regularly

    • Set calendar reminders for quarterly rotation
    • Use automation tools for key rotation
    • Have a rollback plan ready

  4. Monitor Key Usage

    • Set up alerts for unusual activity
    • Review key usage logs monthly
    • Track geographic access patterns

Key Management

Active Key Monitoring

Monitor your active keys in the dashboard:

Key Name: production-web-app
Created: 2024-01-15
Last Used: 2024-01-20 14:30 UTC
Requests Today: 1,247
Status: Active

Key Rotation Process

  1. Generate New Key: Create replacement key
  2. Update Configuration: Deploy with new key
  3. Monitor: Ensure new key works correctly
  4. Grace Period: Keep old key active for 24-48 hours
  5. Revoke Old Key: Delete the previous key

Emergency Key Revocation

If a key is compromised:

  1. Immediate Revocation: Delete key from dashboard
  2. Generate Replacement: Create new key immediately
  3. Update Applications: Deploy with new key ASAP
  4. Monitor Activity: Check for unauthorized usage
  5. Incident Report: Document the security incident

Rate Limiting and API Keys

Each API key has individual rate limits:

  • Free Plan: 300 requests/day
  • Starter Plan: 20,000 requests/day
  • Business Plan: 50,000 requests/day
  • Enterprise Plan: Custom limits

Rate Limit Headers 

HTTP/1.1 200 OK
X-RateLimit-Limit: 1000
X-RateLimit-Remaining: 999
X-RateLimit-Reset: 1640995200

Handling Rate Limits 

async function makeApiCall() {
  try {
    const response = await fetch(url, { headers });


    if (response.status === 429) {
      const resetTime = response.headers.get('X-RateLimit-Reset');
      const waitTime = resetTime - Math.floor(Date.now() / 1000);


      console.log(`Rate limited. Waiting ${waitTime} seconds`);
      await new Promise(resolve => setTimeout(resolve, waitTime * 1000));


      // Retry the request
      return makeApiCall();
    }


    return response.json();
  } catch (error) {
    console.error('API call failed:', error);
    throw error;
  }
}

Troubleshooting API Keys

Common Error Messages

Invalid API Key (401)

{
  "code": "unauthorized",
  "message": "Invalid API key provided"
}

Insufficient Permissions (403)

{
  "code": "permission_denied",
  "message": "API key does not have required permissions"
}

Rate Limit Exceeded (429)

{
  "code": "too_many_requests",
  "message": "Rate limit exceeded for API key"
}

Debugging Checklist

  • Key is correctly formatted (64 characters)
  • No extra spaces or hidden characters
  • Key has required permissions
  • Key is active (not revoked)
  • Within rate limits
  • Using correct API endpoint
  • Headers properly formatted

Next Steps