PlunkPlunk
Getting Started

Authentication

Understanding API keys and authentication

Two types of API keys

Each project has two API keys for different purposes:

Secret Key (sk_*)

Use for: All server-side API calls

  • Required for /v1/send (sending emails)
  • Required for all dashboard API endpoints (contacts, campaigns, templates, etc.)
  • Can access and modify all project data
  • Never expose in client-side code

Example:

// Server-side only
fetch('https://next-api.useplunk.com/v1/send', {
  method: 'POST',
  headers: {
    'Authorization': 'Bearer sk_your_secret_key',
    'Content-Type': 'application/json'
  },
  body: JSON.stringify({
    to: 'user@example.com',
    subject: 'Hello',
    body: '<p>Your order is ready!</p>'
  })
});

Public Key (pk_*)

Use for: Client-side event tracking only

  • Works only with /v1/track endpoint
  • Cannot send emails or access any other endpoints
  • Safe to include in frontend JavaScript
  • Use for tracking user behavior from web browsers or mobile apps

Example:

// Client-side safe
fetch('https://next-api.useplunk.com/v1/track', {
  method: 'POST',
  headers: {
    'Authorization': 'Bearer pk_your_public_key',
    'Content-Type': 'application/json'
  },
  body: JSON.stringify({
    email: 'user@example.com',
    event: 'button_clicked',
    data: { button: 'signup' }
  })
});

Finding your API keys

  1. Log into Plunk dashboard
  2. Select your project
  3. Go to Settings > API Keys
  4. Copy the key you need

Using API keys

All authenticated requests use the Authorization header with Bearer token format:

Authorization: Bearer sk_your_secret_key

cURL example

curl -X POST https://next-api.useplunk.com/v1/send \
  -H "Authorization: Bearer sk_your_secret_key" \
  -H "Content-Type: application/json" \
  -d '{"to": "user@example.com", "subject": "Test", "body": "Hello"}'

Node.js example

const PLUNK_SECRET_KEY = process.env.PLUNK_SECRET_KEY;

const response = await fetch('https://next-api.useplunk.com/v1/send', {
  method: 'POST',
  headers: {
    'Authorization': `Bearer ${PLUNK_SECRET_KEY}`,
    'Content-Type': 'application/json'
  },
  body: JSON.stringify({
    to: 'user@example.com',
    subject: 'Test',
    body: 'Hello'
  })
});

Python example

import os
import requests

PLUNK_SECRET_KEY = os.environ.get('PLUNK_SECRET_KEY')

response = requests.post(
  'https://next-api.useplunk.com/v1/send',
  headers={
    'Authorization': f'Bearer {PLUNK_SECRET_KEY}',
    'Content-Type': 'application/json'
  },
  json={
    'to': 'user@example.com',
    'subject': 'Test',
    'body': 'Hello'
  }
)

Security best practices

Store secret keys securely

Never commit secret keys to version control. Use environment variables:

# .env file (add to .gitignore)
PLUNK_SECRET_KEY=sk_your_secret_key

Rotate compromised keys

If a secret key is exposed:

  1. Go to Settings > API Keys
  2. Click Regenerate Secret Key
  3. Update your application with the new key
  4. The old key stops working immediately

Use the right key for the job

  • Sending emails from your backend? → Use secret key
  • Tracking events from frontend? → Use public key
  • Managing contacts via API? → Use secret key
  • Building a workflow dashboard? → Use secret key

When in doubt, if it's not /v1/track, you need the secret key.

Next Steps

Now that you're authenticated, you can:

Introduction

Get started with Plunk

Quick Start

Send your first email in 5 minutes

On this page

Two types of API keysSecret Key (sk_*)Public Key (pk_*)Finding your API keysUsing API keyscURL exampleNode.js examplePython exampleSecurity best practicesStore secret keys securelyRotate compromised keysUse the right key for the jobNext Steps