Skip to content
Sendblue Docs
Get Started
Security & Compliance

Security & Compliance

Enterprise-grade security for mission-critical messaging

Sendblue is SOC 2 Type 2, HIPAA, and TCPA compliant. Please reach out to us for a copy of our Type 2 audit and pentest reports. For HIPAA compliance, you will need to use our dedicated HIPAA instance.

Authentication

Section titled “Authentication”

API credentials use SHA-512 HMAC hashing with unique salts. Plaintext secrets are never stored.

sb-api-key-id: YOUR_API_KEY
sb-api-secret-key: YOUR_API_SECRET

Alternative header formats also accepted:

x-sb-api-key-id: YOUR_API_KEY
x-sb-api-secret-key: YOUR_API_SECRET

All requests require both headers. Frontend requests are blocked—API calls must come from your backend.

Encryption

Section titled “Encryption”
  • TLS encryption for all API communications
  • HTTPS enforced for webhooks (HTTP URLs auto-upgraded)
  • Data encrypted at rest

Webhook Security

Section titled “Webhook Security”

Configure signing secrets per-webhook or globally:

{
  "webhooks": [
    {
      "url": "https://yourapp.com/webhook",
      "secret": "your-secret"
    }
  ],
  "globalSecret": "optional-global-secret"
}

Sendblue sends sb-signing-secret header with requests. Verify this matches your configured secret.

Rate Limiting

Section titled “Rate Limiting”

Multi-level protection:

LevelPurpose
AccountPrevents runaway scripts
ServerProtects infrastructure
SenderPrevents carrier flagging
ConversationRespects recipient experience

Rate limits vary by plan.

TCPA Compliance

Section titled “TCPA Compliance”

Built-in opt-out detection for: stop, unsubscribe, cancel, opt out, revoke, end, quit

Opt-in via start. Custom opt-out phrases supported per account — contact support to configure, but cannot be set via API.

Blocking Contacts

Section titled “Blocking Contacts”

To block a contact from sending inbound messages, use the POST /api/v2/block endpoint.

Audit Logging

Section titled “Audit Logging”
  • All API requests logged with sanitized headers
  • Request tracing with unique IDs
  • Sensitive headers auto-redacted: authorization, sb-api-key-id, sb-api-secret-key, x-id-token, cookie

Input Validation

Section titled “Input Validation”
  • E.164 phone format validation
  • Email validation for iMessage
  • Emergency numbers blocked (911)
  • Empty content rejected

Enterprise

Section titled “Enterprise”
  • Dedicated phone numbers (country/area code selection)
  • Custom rate limits
  • Priority support
  • Custom SLAs