SendGrid

SendGrid provides programmatic options to incorporate email and marketing tools into your application using only an API key. It is an easy way to add rich functionality to your app; however, if you lose your API key, it's also an easy way to leak sensitive information and rack-up fraudulent charges.

Requirements

  • Understand the Doppler rotation methodology
  • Ability to create a SendGrid API key with the following permissions
    • Full API key access
    • Any permission(s) you want to assign to your rotated key

Overview

Doppler rotates SendGrid API keys using our issuer methodology. After you complete the rotated secret creation process, Doppler will issue the first rotated secret instance. At the defined frequency, Doppler will then issue a new SendGrid key instance before revoking a previous SendGrid key instance (reminder: there's always two).

Privilege Scoping

Doppler leverages a SendGrid API key as the managing user to facilitate rotation. This API key can only create other API keys that have, at most, the same privileges as itself.

You can choose to select only a subset of the privileges the managing user has; this is recommended because the managing user requires SendGrid Full API access, which most API keys likely won't need.

SendGrid Rotated Secret Creation

  1. Navigate to the Doppler config you would like to add a rotated secret to
  2. Click the dropdown next to Add Secret and select Add Rotated Secret
  1. In the modal, select SendGrid
  2. Name your integration
  3. The Managing User Key is a SendGrid API key you create to facilitate rotation. Read more about its requirements here.
  4. Hit Next
  1. Name your rotated secret. As you do, you'll get a live look at the secrets we'll be dynamically injecting into your config.
  2. Select the Scopes the rotated secret should receive
  3. Select the Interval at which you'd like your rotated secret instances to be rotated
  4. Hit Next
  1. The setup is complete and Doppler has created the first rotated secret instance, which is immediately available in your config