SendGrid API key + scopes
After authenticating the domain and setting up SPF, the last step is generating a SendGrid API key and pasting it into RocketLead’s integration configuration. The key authorizes RocketLead to call SendGrid on the customer’s behalf.
The key must have exactly the right scopes — too few breaks sending, too many is a security overreach.
Step 1 — Create the API key in SendGrid
Section titled “Step 1 — Create the API key in SendGrid”In SendGrid: Settings → API Keys → Create API Key.
| Field | Value |
|---|---|
| Name | Use the customer’s name (e.g. “Studio Example”) so you can find it later in audits |
| API Key Permissions | Restricted Access — not “Full Access” |
Picking “Restricted Access” reveals a list of permission categories. You need exactly two:
- Mail Send → Full Access (the middle column setting)
- Sender Authentication → Read Access (the middle column setting)
Leave everything else at “No Access”.
Why these specific scopes
Section titled “Why these specific scopes”| Scope | Why it’s needed |
|---|---|
| Mail Send: Full Access | Lets RocketLead actually send email. Without this, every automation email fails. |
| Sender Authentication: Read Access | Lets RocketLead validate that the sender addresses (info@, noreply@) belong to authenticated domains before sending. Without this, the integration’s “Verify connection” step fails. |
Anything more (Stats, Suppressions, Webhooks, etc.) is unnecessary — RocketLead doesn’t use them. Granting them widens the blast radius if the key ever leaks.
Step 2 — Copy the key (it’s shown once)
Section titled “Step 2 — Copy the key (it’s shown once)”After clicking Create, SendGrid shows the API key once. Copy it immediately to a secure store — you can’t retrieve it later, only regenerate.
Step 3 — Paste into RocketLead
Section titled “Step 3 — Paste into RocketLead”In the RocketLead console: Settings → Integrations → SendGrid. A two-step wizard:
Step 1 — paste the API key. RocketLead verifies it by calling SendGrid’s API and then surfaces the list of verified sender addresses in your authenticated domains.
Step 2 — pick which of those addresses to register on this integration. The set is stored as a flat list (integrationData.emails); there’s no fixed pair, you can register as many as you want. The conventional minimum:
info@<domain>— for customer-facing mail.noreply@<domain>— required for internal-recipient mail.
Click Save. The key is encrypted server-side. After save, the registered sender list is displayed on the integration card under “Konfigurierte E-Mail-Adressen”.
Adding or removing senders later
Section titled “Adding or removing senders later”The console surface for editing an existing SendGrid integration is currently minimal — there’s no in-place “edit senders” UI. To change the registered set, delete the integration and recreate, or have an operator update integrationData.emails directly in the database.
The conservative approach is to register both info@ and noreply@ upfront so you don’t have to revisit this.
Rotating the API key
Section titled “Rotating the API key”If the key ever leaks or needs to be rotated:
- Revoke the old key in SendGrid (Settings → API Keys → …).
- Generate a new key with the same scopes.
- Update the key in RocketLead’s integration config (the existing senders carry over).
You should never store the key in any place other than the customer’s password manager and the encrypted store inside RocketLead’s integration config.
Roadmap
Section titled “Roadmap”The current model is an interim — see the shared-SendGrid model and migration plan (gated) for what’s coming. Short version: RocketLead is moving to AWS SES with native multi-tenant separation, at which point the API key handoff goes away and the integration becomes click-once.
What’s next
Section titled “What’s next”You’ve covered email setup. Move on to Forms for the final setup section.