Skip to main content
Every request authenticates with an API key sent as a Bearer token. Account-wide keys name the sending project per request; project-scoped keys don’t. Send the key in the Authorization header:
Authorization
Create and revoke keys in the dashboard under API Keys, or over the API (POST /v1/api-keys). The secret is shown once at creation — store it immediately; you can’t read it back.
Keep keys server-side. API keys are secrets. Use them only from server-side code, never in a browser, mobile app, or anything shipped to a user. If a key leaks, revoke it and mint a new one.

Choosing the sending project

A Drin account can hold several projects, each with its own sender identity, domains, and keys. Two kinds of key decide how the project is chosen.

Project-scoped key

Tied to one project. The project is implied — send with just the Authorization header, nothing else.

Account-wide key

Spans every project. You must name the project per request so Drin knows who’s sending.
Name the project on an account-wide key with the X-Drin-Product header:
Headers
Header aliases. X-Drin-Product is the canonical header. X-Drin-Sender is an accepted alias — it’s what the SDK’s sender option, the CLI’s --sender flag, and the DRIN_SENDER env var send. All three name the same thing.
In the SDK, pass sender once when you construct the client:
Node.js

Request headers

Idempotency

Pass an Idempotency-Key on any POST to make it safe to retry — if the same key arrives twice, Drin returns the original result instead of sending again. Keys are honored for 24 hours, per sending project.
The SDK automatically retries transient failures (429 and 5xx) with exponential backoff — and it only retries a POST when you’ve supplied an Idempotency-Key, so a send is never duplicated. See Errors for the full retry behaviour.