Code preference:


SendinBlue API’s use HTTP Authentication through an api key. You can create your api key from API Console, after you sign up for an account with SendinBlue. You must use latest version 2.0, access key, for accessing APIs.

You can choose to generate multiple keys as per your development needs.

It is recommended that you use the official SendinBlue wrappers for making use of the API Offical API wrappers are available in popular languages (PHP, Node.js, C#, Java, Ruby, Python) and will allow to access the APIs by just providing api key. You will be free from the nuances of creating authentication headers by using official API Wrappers.

If you wish to integrate API’s in your system without using official API wrappers, then the authentication code must work as follows:

Any HTTP call made to the system has the following in the HTTP headers

We have made the authentication simpler to use yet secure enough for you to access SendinBlue data.

Any HTTP call made to the system has the following in the HTTP headers

So for example if you had a access key 1w1233e2e4d43d3r4 it can look like

The signature as a part of the header generated as follows (and also verified on the server side using the same operations)

Signature generated =Base64( HMAC-SHA1(YourSecretAccessKeyID, UTF-8-Encoding-Of(StringToSign ) ) );

StringToSign = HTTP-Verb + “\n” +
Content-MD5 + “\n” +
Content-Type + “\n” +
Date + “\n” +

HTTP-verb is basically GET,PUT,DELETE, etc.
Content-MD5 is the MD5 of the body being sent [for a blank body, it is blank]
Content-Type is basically application/json in all cases except for file uploads.
Date is the following format Tue, 27 Mar 2007 19:36:42 +0000 and picked up from the value set in HTTP header X-mailin-date
URL is the resource that was called i.e. “/api/campaign/” Please note that the end / is important.

For verifying on the server end, we recompute the Signature and match. If it does not match we send back a not authorized response. There are reasons for implementing a fair complex authentication mechanism, some are as follows

  • Preventing man in the middle attacks
  • Preventing replay attacks

You can read more about them in internet security literature.