Authentication
Quolle uses API keys for all public API requests.
Include your key as a Bearer token on every request.
Get an API key
Go to app.quolle.com
→ API Keys → Create key. Give it a name, then copy the key immediately —
it starts with qle_ and is shown only once.
If you lose it, delete it and create a new one.
Making requests
Pass your key in the Authorization header on every API call:
curl -X POST https://api.quolle.com/v1/emails/send \
-H "Authorization: Bearer qle_your_api_key" \
-H "Content-Type: application/json" \
-d '{
"from": "hello@mail.yourdomain.com",
"to": "customer@example.com",
"subject": "Hello",
"html": "<p>Hello</p>"
}'
const res = await fetch("https://api.quolle.com/v1/emails/send", {
method: "POST",
headers: {
"Authorization": `Bearer ${process.env.QUOLLE_API_KEY}`,
"Content-Type": "application/json",
},
body: JSON.stringify({
from: "hello@mail.yourdomain.com",
to: "customer@example.com",
subject: "Hello",
html: "<p>Hello</p>",
}),
});
import os
import requests
response = requests.post(
"https://api.quolle.com/v1/emails/send",
headers={
"Authorization": f"Bearer {os.environ['QUOLLE_API_KEY']}",
"Content-Type": "application/json",
},
json={
"from": "hello@mail.yourdomain.com",
"to": "customer@example.com",
"subject": "Hello",
"html": "<p>Hello</p>",
},
timeout=15,
)
Security best practices
-
Never commit keys to source control. Store them as environment variables
(
QUOLLE_API_KEY=qle_…) and add.envto your.gitignore. - One key per environment. Create separate keys for development, staging, and production so you can rotate or revoke each independently without affecting the others.
- Rotate immediately if a key leaks. Delete the compromised key in the dashboard under API Keys — it is deactivated instantly — then create a replacement.
API keys grant full sending access under your account. Treat them like
passwords. If a key appears in a public repo, CI log, or error trace, rotate it immediately.
Error responses
A missing or invalid key returns 401 Unauthorized. No detail is provided
beyond the status code to avoid leaking information about key validity:
// HTTP 401
{
"error": "Unauthorized"
}