Skip to main content
Overview Fluxomail uses server-side API keys with optional scopes, signed unsubscribe tokens, and verified webhooks. Keep secrets server-only; never expose keys in client code. Authentication
  • Send Authorization: Bearer <api_key> (preferred) or x-api-key: <api_key>
  • Keys are per-organization; scopes limit capabilities (least privilege)
  • Missing/invalid keys return 401 with { "error": "Invalid API key" }
Scopes
ScopePurpose
send_emailAccess to /api/v1/emails/* endpoints
read_sendsAccess to GET /api/v1/sends/{id}
preferences_readAccess to GET /api/v1/preferences
preferences_manageAccess to POST /api/v1/preferences
Event ingestion
  • Managed by Fluxomail; no webhook setup is required on your side.
  • Events are deduped by (providerMessageId, type) and correlated to your sends.
Unsubscribe tokens
  • Tokens are signed to prevent tampering and verified with a timing-safe comparison
  • Payload contains only the minimum data needed to resolve the contact
Best practices
  • Store keys in secure server-side config (env/secret manager)
  • Rotate keys on exposure; use minimal scopes per integration
  • Prefer Idempotency-Key and respect Retry-After on 429
See also: Authentication, Provider Events, Preferences