# API keys

> Create, scope, and revoke API keys. Keys start with mb_, carry a full_access or sending_access permission, and are shown in full exactly once.

Every API request authenticates with an API key sent as a Bearer token (see [Authentication](https://www.mailblastr.com/docs/authentication)). Keys are created in the dashboard under **API Keys**, or via the [API](https://www.mailblastr.com/docs/api/api-keys-create).

A key is returned **once** at creation — the full `mb_...` token is shown a single time, and only its hash and prefix are stored afterward. If you lose it, create a new one.

> **Warning:** Copy the key immediately when you create it. MailBlastr cannot show it again; there is no way to recover the full token later.

## Permissions

Each key has a permission level that controls what it can do:

| Permission | Can do |
| --- | --- |
| `full_access` | Send email **and** manage resources — domains, audiences, contacts, campaigns, webhooks, and other API keys. |
| `sending_access` | Send email only. Cannot create or delete domains, audiences, campaigns, or other keys. |

Prefer a `sending_access` key for any server that only needs to send email — it limits the blast radius if the key leaks. Note that a key can only mint or revoke other keys if it has `full_access`.

You can create multiple keys to isolate different applications or environments. Scoping each integration to its own key lets you track its usage independently, spot abuse, and revoke just that key if it leaks — without disrupting your other services.

## Tracking usage

Each key records when it was **last used**. List your keys with [`GET /api-keys`](https://www.mailblastr.com/docs/api/api-keys-list) — each entry carries a `last_used_at` timestamp (null if the key has never been used) alongside its `name` and `created_at`. The dashboard surfaces the same signal so you can scan which keys are active and which are dormant.

## Rotation and revocation

Keys do not expire on their own. To rotate, create a new key, deploy it, then delete the old one — deletion is immediate and irreversible. A revoked key returns `403 invalid_api_key` on its next use.

> **Note:** If a key has not been used in the last 30 days, consider deleting it to keep your account secure. Dormant keys widen your attack surface for no benefit.

- Create a key: [`POST /api-keys`](https://www.mailblastr.com/docs/api/api-keys-create).
- List keys (metadata only — never the token): [`GET /api-keys`](https://www.mailblastr.com/docs/api/api-keys-list).
- Revoke a key: [`DELETE /api-keys/:id`](https://www.mailblastr.com/docs/api/api-keys-delete).
