Skip to main content

API keys

All requests to the Torpedo API (except workspace creation) require an API key passed in the X-API-Key header. 
curl https://api.torpedo.co.mz/api/v1/emails \
  -H "X-API-Key: tor_your_key_here"
Keys follow the format tor_ + base64url-encoded random bytes.

Key types

Workspace key

Created automatically when you call POST /api/v1/workspaces. Can send from any verified domain in the workspace.

Domain-scoped key

Created via POST /api/v1/auth/keys with a domainId. Can only send from that specific domain. Use these for multi-tenant setups or to isolate sending by domain.

Getting your key

Keys are returned once only at creation time and cannot be retrieved again. If you lose a key:
  1. Revoke it via DELETE /api/v1/auth/keys/{id}
  2. Create a new one

Security best practices

Never expose API keys in client-side code, public repositories, or browser environments. Keys grant full send access on behalf of your domain.
  • Store keys in environment variables (TORPEDO_API_KEY)
  • Use domain-scoped keys when possible — limits blast radius if a key leaks
  • Rotate keys periodically using the revoke + create flow
  • Set up webhooks to monitor for unexpected sending activity