API Keys
API keys authenticate your requests to the FWD API. Each key has afwd_ prefix and is hashed server-side for security.
Endpoints
GET/api/keys
POST/api/keys
DELETE/api/keys/:id
Create an API Key
| Parameter | Type | Required | Description |
|---|---|---|---|
| name | string | Required | A descriptive name for the key (max 50 characters) |
Create key
curl -X POST https://fwd.sarthak.online/api/keys \
-H "Cookie: your-session-cookie" \
-H "Content-Type: application/json" \
-d '{ "name": "Production" }'Response
Response (201 Created)
{
"success": true,
"data": {
"id": "key_abc123",
"name": "Production",
"key": "fwd_sk_a1b2c3d4e5f6...",
"keyPrefix": "fwd_sk_a1b2",
"createdAt": "2025-01-15T10:00:00Z"
},
"message": "API key created successfully"
}Store your key securely
The full API key (
key field) is only returned once at creation time. Store it in a secure location like an environment variable. You will not be able to retrieve it later — only the keyPrefix is stored.Using Your API Key
Include your API key in the x-api-key header for all API requests that require authentication.
Authentication header
curl -X POST https://fwd.sarthak.online/api/send \
-H "x-api-key: fwd_sk_a1b2c3d4e5f6..." \
-H "Content-Type: application/json" \
-d '{ "to": "user@example.com", "subject": "Test", "html": "<p>Hello</p>" }'Revoke a Key
Revoked keys are immediately deactivated and cannot be used for authentication.
Revoke key
curl -X DELETE https://fwd.sarthak.online/api/keys/key_abc123 \
-H "Cookie: your-session-cookie"Security Best Practices
- Never commit API keys to version control
- Use environment variables (
FWD_API_KEY) to store keys - Create separate keys for development and production
- Revoke unused or compromised keys immediately
- Rotate keys periodically for enhanced security
Plan Limits
| Plan | API Keys |
|---|---|
| Free | 3 |
| Pro | 10 |