Authentication
Every request to the Arsel API must include a valid API key. Keys are scoped to your organization, so all usage and rate limits apply at the organization level.
This page covers authentication for the REST API (API keys). If you're connecting to the SMTP server, you use a separate SMTP credential (username + password) instead — see Managing SMTP Credentials. The two credential types are independent and cannot be used interchangeably.
API Key Format
Arsel API keys use the format:
be_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
The be_ prefix identifies the key type. The remaining characters are cryptographically random.
Sending Authenticated Requests
Include your API key in the Authorization header using the Bearer scheme:
Authorization: Bearer be_your_api_key_here
| Header | Value | Required |
|---|---|---|
Authorization | Bearer <your-api-key> | Yes |
Content-Type | application/json | Yes |
Generating API Keys
- Log in to your Arsel Dashboard
- Navigate to Settings > API Keys
- Click Create API Key and give it a descriptive name
- Copy the key immediately — it is only shown once
Store your API key securely. It cannot be retrieved after creation. If you lose it, revoke the old key and generate a new one.
Key Management
From the dashboard you can:
- View all active keys and their last-used timestamps
- Revoke keys that are no longer needed
- Rotate keys by creating a new one and revoking the old one
Security Best Practices
- Never expose keys in client-side code. API keys should only be used in server-to-server communication.
- Use environment variables to store keys, not source code.
- Rotate keys periodically and immediately if a key may have been compromised.
- Use separate keys for development and production environments.
Authentication Errors
If your API key is missing, invalid, or revoked, the API returns:
{
"status_code": 401,
"name": "unauthorized",
"message": "Invalid or missing API key"
}