Is it secure to use sendgrid api's keys in zitadel actions?
We want to send a welcome email with our custom template upon user registration using SendGrid. Is it safe to use SendGrid API keys directly in the Zitadel action to send the welcome email, or would it be better to make an external API call to our server to handle the welcome email?
5 Replies
Any update?
Where does you zitadel instance run?
Just in theory:
Assuming you implemented a service/an API that proxies between Zitadel and sendgrid you still need to secure that API.. which would result in... Credentials required in your Zitadel action configuration..
So.. that wouldn't introduce another layer of security but another layer of complexity.
However, I'm not aware of where Action logs go to if it keeps logs at all.
At least everyone with access to the actions could read the key. So that's definitely something to consider
@SaarPhil We are using a hosted instance. I think if the SendGrid API key is exposed it will do more damage than the proxy server's API key. But I have seen someone using it directly in actions. I just wanted to check before implementing.
Again sending to sendgrid directly Vs sending to sendgrid via a proxy service.. maybe you could implement a rate limit inside your proxy or if available limit access to certain IPs (those used by Zitadel)..
But without that it doesn't make a difference in terms of damage. At least if it comes to spamming messages..
Not sure if sendgrid API keys allow for more than that.
@SaarPhil I thought the same about implementing a rate limit inside our proxy. I will go that way.