Security Settings

Keeping your EmailKit account secure is important, especially if you're using the API to integrate with your applications. Here are the security features available and best practices to follow.

Authentication Methods

EmailKit supports two authentication methods:

• Email + Password — Traditional sign-up with email verification

• Google Sign-In — OAuth-based authentication through your Google account

Both methods create fully authenticated sessions with the same level of access.

Session Management

When you sign in, EmailKit creates a secure session:

• Sessions are managed using secure, HTTP-only cookies

• Sessions expire after a period of inactivity

• Signing out immediately invalidates your session

• Each device/browser has its own independent session

API Key Security

API keys are a critical security component. Follow these practices:

Do

• Store API keys in environment variables or secret managers

• Use separate keys for development and production

• Set expiration dates on keys used for temporary purposes

• Rotate keys periodically (every 90 days recommended)

• Revoke keys immediately if compromised

Don't

• Hardcode API keys in source code

• Commit API keys to version control (git)

• Share API keys in chat, email, or documentation

• Use production keys in client-side (browser) code

• Give keys to people who no longer need access

Webhook Security

When using webhooks, always verify the signature:

• Every webhook includes an X-EmailKit-Signature header

• Use HMAC-SHA256 with your signing secret to verify authenticity

• Reject any webhook that fails signature verification

• Store your webhook signing secret securely, like an API key

See Using Webhooks for verification code examples.

Protecting Your Account

1. Use a strong password — At least 8 characters with a mix of types

2. Don't reuse passwords — Use a unique password for EmailKit

3. Use Google Sign-In — If you have a Google account with 2FA enabled, this provides an additional layer of security

4. Review API keys regularly — Revoke any keys you're no longer using

5. Monitor your credit usage — Unexpected credit consumption could indicate unauthorized API key usage

Reporting Security Issues

If you discover a security vulnerability or suspect unauthorized access to your account:

• Contact us immediately at security@emailkit.dev

• Change your password and revoke all API keys

• Review your recent verification history for unauthorized usage