Authentication model
Learn how homail verifies that requests really came from you.
The SDK handles this automatically. Raw API requests prove who you are in two ways: the API key identifies your app, and the signature proves the request was created by someone who knows the secret.
Required headers
- Authorization: Bearer hm_live_<keyId>_<secret>
- X-Homail-Timestamp: current Unix time in seconds
- X-Homail-Nonce: a unique random value for this request
- X-Homail-Signature: the signed request proof
Scopes
Some keys can only send. Others can also read message status or usage. Give each integration only the scopes it actually needs. Normal SDK integrations only need send scope.