Account API keys

Scoped API keys for apps and authorized agents.

Create keys with only the access a workflow needs. Use one key for production sending, another for a deploy job that manages templates, and another for an authorized agent that monitors webhooks or suppressions.

Available scopes
[
  "email:send",
  "projects:read",
  "projects:write",
  "api-keys:write",
  "domains:read",
  "domains:write",
  "templates:write",
  "audiences:write",
  "broadcasts:write",
  "automations:write",
  "webhooks:write",
  "suppressions:write",
  "receiving:read",
  "receiving:write"
]

Key patterns

Give each workflow the smallest useful key.

Keep account access tidy: one key for the app, one for deploy jobs, one for authorized agents, and a clear rotation path when a secret moves.

Read agent access docs
App

Production sender

Scope a runtime key to the send paths your app actually calls.

Deploy

Template manager

Use a separate key for CI jobs that publish or update email templates.

Agent

Authorized account helper

Let an agent inspect webhooks or suppressions without handing it broad operator access.

Rotate

Shown once, replaced cleanly

Create a new scoped key, update the workflow, then delete the old secret.

Shown once

Secrets start with ntc_ and are visible only at creation time.

Least privilege

Scope each key to sending, domains, templates, audiences, webhooks, or receiving.

Agent-ready

AI agents can use scoped keys for authorized account work without broad operator access.