Security & Compliance

Sendblue powers messaging for Fortune 100 companies and top enterprises worldwide.

Authentication

API credentials use SHA-512 HMAC hashing with unique salts. Plaintext secrets are never stored.

sb-api-key-id: YOUR_API_KEY
sb-api-secret-key: YOUR_API_SECRET

Alternative header formats also accepted:

x-sb-api-key-id: YOUR_API_KEY
x-sb-api-secret-key: YOUR_API_SECRET

All requests require both headers. Frontend requests are blocked—API calls must come from your backend.

Encryption

• TLS encryption for all API communications
• HTTPS enforced for webhooks (HTTP URLs auto-upgraded)
• Data encrypted at rest

Webhook Security

Configure signing secrets per-webhook or globally:

{
  "webhooks": [{
    "url": "https://yourapp.com/webhook",
    "secret": "your-secret"
  }],
  "globalSecret": "optional-global-secret"
}

Sendblue sends sb-signing-secret header with requests. Verify this matches your configured secret.

Rate Limiting

Multi-level protection:

Level	Purpose
Account	Prevents runaway scripts
Server	Protects infrastructure
Sender	Prevents carrier flagging
Conversation	Respects recipient experience

Rate limits vary by plan.

TCPA Compliance

Built-in opt-out detection for: stop, unsubscribe, cancel, opt out, revoke, end, quit

Opt-in via start. Custom opt-out phrases supported per account.

Audit Logging

• All API requests logged with sanitized headers
• Request tracing with unique IDs
• Sensitive headers auto-redacted: authorization, sb-api-key-id, sb-api-secret-key, x-id-token, cookie

Input Validation

• E.164 phone format validation
• Email validation for iMessage
• Emergency numbers blocked (911)
• Empty content rejected

Enterprise

• Dedicated phone numbers (country/area code selection)
• Custom rate limits
• Priority support
• Custom SLAs