Authentication & API Keys

Every API request must include a valid team-scoped API key.

Getting an API key

1. Sign in to Internal Newsletter and go to Team Settings
2. Scroll to the API Keys section
3. Enter a name (e.g. "Claude Agent", "Zapier") and select scopes
4. Click Create API key
5. Copy the key immediately — it starts with inl_ and won't be shown again

Using your key

Include it in the Authorization header:

Authorization: Bearer inl_abc123def456...

Or as a query parameter (not recommended for production):

https://your-app.com/api/v1/team?api_key=inl_abc123def456...

Scopes

API keys have granular scopes that control what they can do:

Scope	Permissions
read	List and view newsletters, content blocks, templates, events, team info
write	Create, update, and delete newsletters and content blocks. Includes AI drafting.
send_preview	Send preview emails to team members

A key with only read scope cannot create or modify any resources. This is useful for monitoring dashboards or read-only integrations.

Rate limits

• 60 requests per minute per API key
• Rate-limited responses return 429 Too Many Requests with a Retry-After header
• AI draft generation has a separate plan-based limit (check GET /api/v1/team for current usage)

Security best practices

• Never commit API keys to source control. Use environment variables.
• Use the minimum scopes needed for each integration.
• Rotate keys regularly — revoke old keys and generate new ones from Team Settings.
• Set expiry dates for temporary integrations.
• Monitor usage — each key tracks its last-used timestamp, visible in Team Settings.

Revoking a key

Go to Team Settings → API Keys and click Revoke next to the key. Revocation is immediate — any in-flight requests using that key will fail.

Error responses

Status	Meaning
401 Unauthorized	Missing, invalid, revoked, or expired API key
403 Forbidden	Key is valid but missing the required scope
429 Too Many Requests	Rate limit exceeded