Authentication

Quolle uses API keys for all public API requests. Include your key as a Bearer token on every request.

Get an API key

Go to app.quolle.comAPI Keys → Create key. Give it a name, then copy the key immediately — it starts with qle_ and is shown only once. If you lose it, delete it and create a new one.

Making requests

Pass your key in the Authorization header on every API call:

curl -X POST https://api.quolle.com/v1/emails/send \
  -H "Authorization: Bearer qle_your_api_key" \
  -H "Content-Type: application/json" \
  -d '{
    "from": "hello@mail.yourdomain.com",
    "to": "customer@example.com",
    "subject": "Hello",
    "html": "<p>Hello</p>"
  }'
const res = await fetch("https://api.quolle.com/v1/emails/send", {
  method: "POST",
  headers: {
    "Authorization": `Bearer ${process.env.QUOLLE_API_KEY}`,
    "Content-Type": "application/json",
  },
  body: JSON.stringify({
    from: "hello@mail.yourdomain.com",
    to: "customer@example.com",
    subject: "Hello",
    html: "<p>Hello</p>",
  }),
});
import os
import requests

response = requests.post(
    "https://api.quolle.com/v1/emails/send",
    headers={
        "Authorization": f"Bearer {os.environ['QUOLLE_API_KEY']}",
        "Content-Type": "application/json",
    },
    json={
        "from": "hello@mail.yourdomain.com",
        "to": "customer@example.com",
        "subject": "Hello",
        "html": "<p>Hello</p>",
    },
    timeout=15,
)

Security best practices

API keys grant full sending access under your account. Treat them like passwords. If a key appears in a public repo, CI log, or error trace, rotate it immediately.

Error responses

A missing or invalid key returns 401 Unauthorized. No detail is provided beyond the status code to avoid leaking information about key validity:

// HTTP 401
{
  "error": "Unauthorized"
}