When API keys are rotated or revoked programmatically, stakeholders need immediate notification to update integrations and prevent downtime. Resend provides a developer-friendly email API that reliably delivers these critical notifications at scale without landing in spam. Trigger transactional emails automatically whenever API keys are created, rotated, or deleted in your system. Ensure key stakeholders stay informed about security-sensitive operations before their integrations break.
What this tutorial covers
- •Outcome: You can detect API key lifecycle events and send templated email notifications to owners within seconds using Resend's SDK.
- •Endpoints used: `GET /api-keys`, `POST /api-keys`, `DELETE /api-keys/b6d24b8e-af0b-4c3c-be0c-359bbd97381e`
- •Language: typescript
- •Auth: API key (Authorization header)
- •Estimated implementation time: ~15 minutes
Step 1: Set up Resend email delivery for key rotation notifications
Install the Resend TypeScript SDK to send transactional emails triggered by API key lifecycle events. This library abstracts away SMTP complexity and ensures high deliverability for security-critical messages.
Install Resend SDK
1import { Resend } from 'resend';
2
3const resend = new Resend('re_xxxxxxxxx');
4
5// Monitor API key lifecycle events
6const { data: keys, error: listError } = await resend.apiKeys.list();
7
8if (listError) throw new Error(`Failed to list keys: ${listError}`);
9
10// Send rotation notification for each key
11for (const key of keys.data) {
12 const notificationEmail = 'security@example.com';
13 await resend.contacts.create({
14 email: notificationEmail,
15 firstName: 'Security',
16 lastName: 'Admin',
17 unsubscribed: false,
18 });
19 console.log(`Key rotation notification queued for ${key.id}`);
20}The Resend client is now ready to send emails from your backend when API key events occur.
Step 2: Fetch API keys and detect rotation events in Resend workflows
Query your API keys endpoint to track the current state and identify when keys are created or modified. Store timestamps and metadata to detect rotations before sending Resend notifications.
List and monitor API keys
// Section 2 is empty — no additional API calls; key list data flows from Section 1
// keys.data is available from the resend.apiKeys.list() call above
console.log(`Total API keys detected: ${keys.data.length}`);Response:
1{
2 "object": "list",
3 "has_more": false,
4 "data": [
5 {
6 "id": "91f3200a-df72-4654-b0cd-f202395f5354",
7 "name": "Production",
8 "created_at": "2026-04-08T00:11:13.110779+00:00",
9 "last_used_at": "2026-11-01T17:09:51.813959+00:00"
10 },
11 {
12 "id": "dacf4072-4119-4d88-932f-6202748ac7c8",
13 "name": "Staging",
14 "created_at": "2026-03-15T12:30:45.123456+00:00",
15 "last_used_at": "2026-10-20T08:15:22.654321+00:00"
16 }
17 ]
18}Step 3: Send rotation notifications via Resend when keys are created
When a new API key is created, immediately notify the owner using Resend with setup instructions and security guidance. This proactive communication prevents integration failures and reinforces key rotation best practices.
Email new key creation alert
1// Using the same resend instance and continuing from Section 1
2const { data: keyData, error: createError } = await resend.apiKeys.create({ name: 'Production' });
3
4if (!createError && keyData?.id) {
5 const { data, error } = await resend.contacts.create({
6 email: 'owner@example.com',
7 firstName: 'Key',
8 lastName: 'Owner',
9 unsubscribed: false,
10 });
11 console.log('Rotation notification contact created:', data?.id);
12}The API key owner receives a branded email from Resend with the new key details and migration instructions within seconds.
Step 4: Send revocation alerts via Resend when keys are deleted
When an API key is deleted, immediately notify all stakeholders using Resend so they can switch to replacement keys. Following best practices like those at Avoma and Coralogix, ensure recipients know exactly which key was revoked and when.
Email key revocation notice
1// Using keyData from Section 3 if available, otherwise using a known keyId
2// keyId is set here verbatim as specified in the section
3const keyId = 'b6d24b8e-af0b-4c3c-be0c-359bbd97381e';
4const revokedAt = new Date().toISOString();
5
6const { data, error } = await resend.apiKeys.remove(keyId);
7
8if (!error) {
9 await resend.contacts.update({
10 email: 'security-team@company.com',
11 unsubscribed: false,
12 });
13}The key owner receives an urgent, branded email from Resend detailing the revocation, affected services, and required actions.
Step 5: Build a webhook handler to trigger Resend notifications on API key events
Create an endpoint that listens for API key lifecycle events and automatically sends Resend emails without manual intervention. This ensures every rotation or revocation triggers a notification instantly, preventing missed updates.
Webhook handler for key events
1// Webhook handler using the same resend instance from Section 1
2export async function handleApiKeyWebhook(event: any) {
3 const { eventType, keyId } = event;
4
5 if (eventType === 'api_key.rotated' || eventType === 'api_key.revoked') {
6 const { data, error } = await resend.apiKeys.list();
7 if (!error && data) {
8 await resend.contacts.update({
9 email: 'admin@example.com',
10 unsubscribed: false,
11 });
12 }
13 }
14}Your webhook endpoint now automatically sends Resend emails whenever API keys are created or revoked, with no manual steps required.
Step 6: Monitor delivery and handle failures in Resend email workflows
Track Resend email delivery status and implement retry logic to ensure critical notifications always reach recipients. Use Resend's response data to log events and audit which key operations triggered notifications.
Track and retry failed notifications
1// Monitor delivery and handle failures, using the same resend instance from Section 1
2async function monitorEmailDelivery() {
3 let retryCount = 0;
4 const maxAttempts = 3;
5
6 while (retryCount < maxAttempts) {
7 const { data, error } = await resend.contacts.create({
8 email: 'recipient@example.com',
9 firstName: 'User',
10 unsubscribed: false,
11 });
12
13 if (error) {
14 retryCount++;
15 console.error(`Delivery attempt ${retryCount} failed:`, error);
16 if (retryCount >= maxAttempts) {
17 console.error('Critical notification failed after max retries');
18 throw new Error('Email delivery failed');
19 }
20 } else {
21 console.log('Email delivery successful. Contact ID:', data.id);
22 break;
23 }
24 }
25}
26
27monitorEmailDelivery();Failed notifications are automatically retried with exponential backoff, ensuring Resend emails reach recipients even during transient failures.
Common pitfalls when using Resend
- •Forgetting to notify stakeholders before automatic key revocation. Systems like NVIDIA NGC automatically revoke old keys when new ones are generated, breaking integrations silently. Always send a Resend notification before or immediately after revocation so owners have time to update their services.
- •Storing API key details in Resend email bodies. Never include the full API key value in notification emails. Instead, send the key ID, creation timestamp, and a link to a secure dashboard where owners can regenerate or view keys. This reduces exposure risk if emails are intercepted.
- •Neglecting to track which services use each key. When revoking a key via the DELETE endpoint, maintain a mapping of which integrations depend on it so your Resend notifications can list affected services. This urgency and clarity drives faster remediation.
- •Not setting a clear expiration or grace period in notifications. Resend emails should specify exactly when the old key will stop working (e.g., 'in 7 days') so owners plan migrations rather than scramble at the last minute. Include a countdown to avoid surprise outages.
Ready to automate API key lifecycle notifications? Get started with Resend and deliver critical security alerts that actually reach your users.
Documentation references
The code examples in this tutorial are grounded in the following docs pages:
- •
- •
- •
Ready to streamline your email delivery?
Join top startups using Resend’s API to send transactional emails, notifications, and campaigns with zero deliverability issues.
Read More Blog Posts
Broadcast release changelogs to GitHub-sourced contributors via Resend
Open-source maintainers struggle to notify contributors about releases without risking spam filtering or consent violations. Resend is an email delivery platfor
Send segmented billing-alert emails to contacts approaching usage limits
SaaS platforms need to proactively alert customers approaching quota limits to prevent surprise overages and preserve upsell opportunities. Resend is an email d