Envello
Trust

Why your email API needs role-based access, not one shared login

Envello Team·2026-07-16·4 min read

A shared login for a transactional email account is a common shortcut on a small team, and a genuinely risky one: whoever has the credentials can create or revoke API keys, remove sending domains, or change account-level settings, with no record of who actually did it if something goes wrong.

The three roles

Envello supports three account roles: admin, developer, and viewer. Admins manage team membership, billing, and account-level settings. Developers can create and manage API keys and domains without touching billing or team membership. Viewers can see logs and account activity without being able to change anything. That's a narrow, specific split, not a sprawling permissions matrix, on purpose: most teams need "can change things" vs. "can only look" more than they need a dozen granular toggles.

Why this matters more for an email API specifically

An API key with send access can be used to send from your verified domains, which means a leaked or over-shared key is a reputation risk for your sending domain, not just a data-access risk. Scoping who can create and revoke keys to specific roles, rather than everyone sharing one login, is a smaller surface area for that kind of mistake.

What this doesn't replace

Roles control who can do what inside the account. They don't replace the audit log, which records who actually did do what, a separate and complementary piece covered in its own post. Roles are prevention; the audit log is the record after the fact.

Envello

EU-hosted transactional email, done right by default.