---
title: Security & Compliance | Sendblue Docs
description: Enterprise-grade security for mission-critical messaging
---

Sendblue is SOC 2 Type 2, HIPAA, and TCPA compliant. Please reach out to us for a copy of our Type 2 audit and pentest reports. For HIPAA compliance, you will need to use our dedicated HIPAA instance.

## Authentication

API credentials use SHA-512 HMAC hashing with unique salts. Plaintext secrets are never stored.

```
sb-api-key-id: YOUR_API_KEY
sb-api-secret-key: YOUR_API_SECRET
```

Alternative header formats also accepted:

```
x-sb-api-key-id: YOUR_API_KEY
x-sb-api-secret-key: YOUR_API_SECRET
```

All requests require both headers. Frontend requests are blocked—API calls must come from your backend.

## Encryption

- TLS encryption for all API communications
- HTTPS enforced for webhooks (HTTP URLs auto-upgraded)
- Data encrypted at rest

## Webhook Security

Configure signing secrets per-webhook or globally:

```
{
  "webhooks": [
    {
      "url": "https://yourapp.com/webhook",
      "secret": "your-secret"
    }
  ],
  "globalSecret": "optional-global-secret"
}
```

Sendblue sends `sb-signing-secret` header with requests. Verify this matches your configured secret.

## Rate Limiting

Multi-level protection:

| Level        | Purpose                       |
| ------------ | ----------------------------- |
| Account      | Prevents runaway scripts      |
| Server       | Protects infrastructure       |
| Sender       | Prevents carrier flagging     |
| Conversation | Respects recipient experience |

Rate limits vary by plan.

## TCPA Compliance

Built-in opt-out detection for: `stop`, `unsubscribe`, `cancel`, `opt out`, `revoke`, `end`, `quit`

Opt-in via `start`. Custom opt-out phrases supported per account — contact support to configure, but cannot be set via API.

### Blocking Contacts

To block a contact from sending inbound messages, use the `POST /api/v2/block` endpoint.

## Audit Logging

- All API requests logged with sanitized headers
- Request tracing with unique IDs
- Sensitive headers auto-redacted: `authorization`, `sb-api-key-id`, `sb-api-secret-key`, `x-id-token`, `cookie`

## Input Validation

- E.164 phone format validation
- Email validation for iMessage
- Emergency numbers blocked (911)
- Empty content rejected

## Enterprise

- Dedicated phone numbers (country/area code selection)
- Custom rate limits
- Priority support
- Custom SLAs