Authentication
All API requests must include your API key. Generate keys from Dashboard → API → API Keys. Each key is shown once; store it securely.
Bearer token (recommended)
Send your API key in the Authorization header. Keys start with fce_.
http
Authorization: Bearer fce_xxxxxxxxxxxxxxxxxxxxQuery parameter
Alternatively, pass api_key=fce_xxxx as a query parameter (e.g. for WebSocket). Prefer the header in production to avoid key leakage in logs.
Security
- Never commit API keys to version control. Use environment variables or a secrets manager.
- Rotate keys periodically from Dashboard → API → API Keys. Revoke compromised keys immediately.
- Use HTTPS only; the API does not accept plain HTTP.
Invalid key responses
All auth errors return HTTP 401 with one of the following bodies:
401Missing or malformed key
json
{
"success": false,
"error": "unauthorized",
"message": "Missing or invalid API key. Pass your key in the Authorization header: Bearer fce_..."
}401Revoked key
json
{
"success": false,
"error": "key_revoked",
"message": "This API key has been revoked. Generate a new key at freecustom.email/dashboard/api."
}