Account API keys
Scoped API keys for apps and authorized agents.
Create keys with only the access a workflow needs. Use one key for production sending, another for a deploy job that manages templates, and another for an authorized agent that monitors webhooks or suppressions.
[ "email:send", "projects:read", "projects:write", "api-keys:write", "domains:read", "domains:write", "templates:write", "audiences:write", "broadcasts:write", "automations:write", "webhooks:write", "suppressions:write", "receiving:read", "receiving:write" ]
Key patterns
Give each workflow the smallest useful key.
Keep account access tidy: one key for the app, one for deploy jobs, one for authorized agents, and a clear rotation path when a secret moves.
Read agent access docsProduction sender
Scope a runtime key to the send paths your app actually calls.
Template manager
Use a separate key for CI jobs that publish or update email templates.
Authorized account helper
Let an agent inspect webhooks or suppressions without handing it broad operator access.
Shown once, replaced cleanly
Create a new scoped key, update the workflow, then delete the old secret.
Shown once
Secrets start with ntc_ and are visible only at creation time.
Least privilege
Scope each key to sending, domains, templates, audiences, webhooks, or receiving.
Agent-ready
AI agents can use scoped keys for authorized account work without broad operator access.