Skip to main content

API Keys

API keys provide programmatic access to your ColdSend account. Each key has specific scopes that determine what operations it can perform.

Creating an API Key

Create API keys through the ColdSend dashboard:
  1. Navigate to Settings > API Keys
  2. Click “Create API Key”
  3. Enter a descriptive name for the API key
  4. Select the required scopes
  5. Click “Create”
  6. Copy the key immediately
The full API key value is only shown once during creation. You cannot retrieve it later. Store it securely in a password manager or secrets management system.

Managing API Keys

Viewing Keys

The dashboard displays all API keys with:
  • Key name
  • Associated scopes
  • Creation date
  • Last used timestamp
  • Status (active/revoked)

Revoking Keys

Revoke a key when:
  • The key may have been compromised
  • An employee with access leaves your organization
  • The integration using the key is decommissioned
Revoked keys immediately lose all access and cannot be restored.

Security Best Practices

Use Environment Variables

Never hardcode API keys in your source code: 
import os

# Good: Load from environment
api_key = os.environ.get("COLDSEND_API_KEY")

# Bad: Hardcoded key
api_key = "cs_live_abc123..."

Use Separate Keys for Different Purposes

Create dedicated keys for different use cases:
PurposeRecommended Scopes
Campaign Managementcampaigns:write
Analytics Dashboardcampaigns:read
Sender Account Setupsender_accounts:write
Full Access*

Rotate Keys Periodically

Regularly rotate API keys:
  1. Create a new key with the same scopes
  2. Update your integrations to use the new key
  3. Revoke the old key after confirming the new key works

Never Expose Keys Client-Side

API keys should never be:
  • Embedded in client-side JavaScript
  • Included in mobile applications
  • Committed to version control
  • Shared in support tickets or emails

Monitor Key Usage

Review the “Last Used” timestamp regularly. If a key shows unexpected usage patterns or hasn’t been used recently, investigate and consider revoking it.

Key Storage

When you create an API key, ColdSend stores only a hashed version:
  • The raw key is hashed using SHA-256 with a secret pepper
  • The original key value is never stored
  • This means keys cannot be recovered if lost
This approach ensures that even if the database is compromised, attackers cannot retrieve usable API keys.