Skip to main content

Documentation Index

Fetch the complete documentation index at: https://resend.com/docs/llms.txt

Use this file to discover all available pages before exploring further.

For more help creating, deleting, and managing API keys, see the API Keys documentation.

Best Practices

It’s crucial you handle your API keys securely. Do not share your API key with others or expose it in the browser or other client-side code. Here are some general guidelines:
  • Store API keys in environment variables.
  • Never commit API keys to version control.
  • Never hard-code API keys in your code or share them publicly.
  • Rotate API keys regularly. If an API key hasn’t been used in the last 30 days, consider deleting it to keep your account secure.
When you create an API key in Resend, you can view the key only once. This practice helps encourage these best practices.

Key Rotation

Resend API keys do not expire automatically. Keys remain valid until you manually delete them. Resend includes no built-in expiration date or automatic rotation mechanism, but it is a good security practice to rotate keys regularly. To rotate an API key:
  1. Create a new key in the API Keys Dashboard or via the API with the same permission level and domain scope as the key you are replacing.
  2. Update your services to use the new key. Deploy the change to all environments that reference the old key.
  3. Verify the new key is working by filtering by API Key on the logs page and checking for recent requests.
  4. Delete the old key once you have confirmed the new key is active across all services.
Do not delete the old key before the new key is deployed everywhere. Both keys will work simultaneously, so ensure your new key is working before deleting your old key so you do not experience downtime during the transition. You can programmatically create, list, and delete API keys to rotate keys.
We recommend rotating keys at least every 90 days, or immediately if you suspect a key has been compromised. Resend flags keys unused for 30+ days in the dashboard to help you identify keys that should be reviewed or deleted.