ZooTools is now SMASHSEND Email MarketingRead update
SMASHSEND email marketing - The #1 Email Marketing Tool that turns emails into revenueemail marketing
SMASHSEND email marketing - The #1 Email Marketing Tool that turns emails into revenueemail marketing

  1. Home

    2. /

  2. Docs

    3. /

  3. API Reference

    4. /

  4. API Keys

API Keys

API Keys provide secure authentication for accessing the SMASHSEND API. This endpoint is commonly used by Zapier and other integration platforms to validate connections, manage authentication, and perform automated operations securely.

Overview

API keys are workspace-specific tokens that allow programmatic access to your SMASHSEND account. Each API key has a specific role and can be managed through these endpoints.

API Key Roles: API_USER (standard access for most operations)

Base URL: https://api.smashsend.com

API Key Endpoints

GET/v1/api-keys/check

Validates an API key and returns key information. This endpoint is used by Zapier and other platforms to test connections and verify that API keys are working correctly.

Authentication

Requires the API key to be validated in the Authorization header.

Request

curl "https://api.smashsend.com/v1/api-keys/check" \
  -H "Authorization: Bearer YOUR_API_KEY"

Response

{
  "status": "SUCCEED",
  "displayName": "sdfasdf",
  "role": "EDITOR"
}

Error Responses

401 Unauthorized: Invalid API key

403 Forbidden: API key lacks required permissions

429 Too Many Requests: Rate limit exceeded

GET/v1/workspaces/{workspaceId}/api-keys

Lists all API keys for a workspace. Useful for managing multiple API keys and their permissions.

Path Parameters

workspaceId - The unique ID of the workspace

Query Parameters

limit - Maximum number of API keys to return (default: 15, max: 100)

sort - Sort order: “createdAt.desc” or “createdAt.asc” (default: “createdAt.desc”)

Request

curl "https://api.smashsend.com/v1/workspaces/wrk_ENGTK86JEXXckyDVJthKkPer/api-keys" \
  -H "Authorization: Bearer YOUR_API_KEY"

Response

{
  "apiKeys": {
    "items": [
      {
        "id": "aki_abc123def456",
        "displayName": "Zapier Integration",
        "role": "API_USER",
        "status": "ACTIVE",
        "secretKey": "sk_live_abc123...",
        "createdAt": "2024-03-15T10:00:00Z",
        "updatedAt": "2024-03-15T10:00:00Z"
      },
      {
        "id": "aki_xyz789ghi012",
        "displayName": "CRM Sync",
        "role": "API_USER",
        "status": "ACTIVE",
        "secretKey": "sk_live_xyz789...",
        "createdAt": "2024-03-10T14:30:00Z",
        "updatedAt": "2024-03-10T14:30:00Z"
      }
    ],
    "hasMore": false,
    "startAt": null
  }
}

POST/v1/workspaces/{workspaceId}/api-keys

Creates a new API key for the workspace. Essential for setting up new integrations and automations.

Request Body Parameters

displayName - Human-readable name for the API key (required)

role - The role for the API key, typically “API_USER” (required)

Request

curl -X POST "https://api.smashsend.com/v1/workspaces/wrk_ENGTK86JEXXckyDVJthKkPer/api-keys" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "displayName": "New Integration API Key",
    "role": "API_USER"
  }'

Response

{
  "apiKey": {
    "id": "aki_new123def456",
    "displayName": "New Integration API Key",
    "role": "API_USER",
    "status": "ACTIVE",
    "secretKey": "sk_live_new123abc456def...",
    "createdAt": "2024-03-21T15:30:00Z",
    "updatedAt": "2024-03-21T15:30:00Z"
  }
}

Important Security Note

The secretKey is only returned once when the API key is created. Store it securely as it cannot be retrieved again. If lost, you will need to create a new API key.

POST/v1/workspaces/{workspaceId}/api-keys/{apiKeyId}

Updates an existing API key. You can modify the display name and role, but not the secret key itself.

Path Parameters

workspaceId - The unique ID of the workspace

apiKeyId - The unique ID of the API key to update

Request Body Parameters

displayName - New display name for the API key (optional)

role - New role for the API key (optional)

Request

curl -X POST "https://api.smashsend.com/v1/workspaces/wrk_ENGTK86JEXXckyDVJthKkPer/api-keys/aki_abc123def456" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "displayName": "Updated Zapier Integration Key"
  }'

Response

{
  "apiKey": {
    "id": "aki_abc123def456",
    "displayName": "Updated Zapier Integration Key",
    "role": "API_USER",
    "status": "ACTIVE",
    "secretKey": "sk_live_abc123...",
    "createdAt": "2024-03-15T10:00:00Z",
    "updatedAt": "2024-03-21T16:45:00Z"
  }
}

DELETE/v1/workspaces/{workspaceId}/api-keys/{apiKeyId}

Permanently deletes an API key. This action cannot be undone and will immediately invalidate the API key for all integrations using it.

Path Parameters

workspaceId - The unique ID of the workspace

apiKeyId - The unique ID of the API key to delete

Request

curl -X DELETE "https://api.smashsend.com/v1/workspaces/wrk_ENGTK86JEXXckyDVJthKkPer/api-keys/aki_abc123def456" \
  -H "Authorization: Bearer YOUR_API_KEY"

Response

{
  "apiKey": {
    "id": "aki_abc123def456",
    "displayName": "Deleted API Key",
    "role": "API_USER",
    "status": "ACTIVE",
    "secretKey": "sk_live_abc123...",
    "createdAt": "2024-03-15T10:00:00Z",
    "updatedAt": "2024-03-15T10:00:00Z"
  },
  "isDeleted": true
}

Integration Best Practices

1. Test Connection First

Always use the /v1/api-keys/check endpoint to validate API keys before performing other operations. This is exactly what Zapier does during connection setup.

2. Use Descriptive Names

Give your API keys clear, descriptive names like “Zapier CRM Integration” or “E-commerce Sync” to easily identify their purpose.

3. Secure Storage

Store API keys securely and never expose them in client-side code or public repositories. The secret key is only shown once during creation.

4. Regular Rotation

For security best practices, consider rotating API keys periodically by creating new ones and deleting old ones.

5. Monitor Usage

Keep track of which integrations are using which API keys, so you can safely delete unused keys and troubleshoot connection issues.

Zapier Integration Example

Here’s how Zapier uses the API key validation endpoint to test connections:

// Zapier authentication test
const testAuth = async (z, bundle) => {
  const response = await z.request({
    url: 'https://api.smashsend.com/v1/api-keys/check',
    method: 'GET',
    headers: {
      'Authorization': `Bearer ${bundle.authData.api_key}`
    }
  });

  if (response.status !== 200) {
    throw new Error('Invalid API key');
  }

  const data = response.json;
  return {
    displayName: `🔐 API Key: ${data.displayName}`
  };
};

This pattern ensures that API keys are validated before any integration workflows begin, providing immediate feedback to users about authentication issues.

Error Handling

401 - Unauthorized

{
  "statusCode": 401,
  "error": "Unauthorized",
  "message": "Invalid API key. Please double-check and try again."
}

403 - Forbidden

{
  "statusCode": 403,
  "error": "Forbidden",
  "message": "API key does not have sufficient permissions."
}

429 - Rate Limited

{
  "statusCode": 429,
  "error": "Too Many Requests", 
  "message": "Rate limit exceeded. Please wait a moment and try again."
}