[{"data":1,"prerenderedAt":177},["ShallowReactive",2],{"blog-blueprints/sendgrid-integration":3},{"id":4,"title":5,"body":6,"category":157,"date":158,"dateModified":158,"description":159,"draft":160,"extension":161,"faq":162,"featured":160,"headerVariant":163,"image":162,"keywords":162,"meta":164,"navigation":165,"ogDescription":166,"ogTitle":162,"path":167,"readTime":168,"schemaOrg":169,"schemaType":170,"seo":171,"sitemap":172,"stem":173,"tags":174,"twitterCard":175,"__hash__":176},"blog/blog/blueprints/sendgrid-integration.md","SendGrid Integration Security Guide",{"type":7,"value":8,"toc":146},"minimark",[9,20,24,30,35,50,54,63,67,76,85,89,94,97,100,103,106,109,120,134],[10,11,12],"blueprint-summary",{},[13,14,15,19],"p",{},[16,17,18],"strong",{},"To secure SendGrid integration,"," you need to: (1) create API keys with minimal permissions (Mail Send only for sending), (2) validate webhook signatures using ECDSA verification, (3) sanitize email content to prevent header injection attacks, (4) configure DKIM/SPF records for domain authentication, and (5) enable IP access management in the SendGrid console. This blueprint protects your email infrastructure from abuse and ensures deliverability.",[21,22],"blueprint-meta",{"time":23},"1-2 hours",[25,26,27],"tldr",{},[13,28,29],{},"SendGrid API keys should have minimal permissions and be stored server-side only. Validate webhook signatures, sanitize email content to prevent injection, configure DKIM/SPF for deliverability and security, and use IP access management for sensitive operations.",[31,32,34],"h2",{"id":33},"sending-email-securely-sendgrid","Sending Email Securely SendGrid",[36,37,39],"code-block",{"label":38},"lib/email.ts",[40,41,46],"pre",{"className":42,"code":44,"language":45},[43],"language-text","import sgMail from '@sendgrid/mail'\n\nsgMail.setApiKey(process.env.SENDGRID_API_KEY!)\n\nexport async function sendWelcomeEmail(to: string, name: string) {\n  // Sanitize inputs to prevent header injection\n  const sanitizedName = name.replace(/[\\r\\n]/g, '')\n\n  await sgMail.send({\n    to,\n    from: {\n      email: 'noreply@yourdomain.com',\n      name: 'Your App',\n    },\n    templateId: 'd-xxxxxxxxxxxxx',  // Use templates, not raw HTML\n    dynamicTemplateData: {\n      name: sanitizedName,\n    },\n  })\n}\n\nexport async function sendEmail(options: {\n  to: string\n  subject: string\n  text: string\n}) {\n  // Sanitize subject to prevent header injection\n  const sanitizedSubject = options.subject.replace(/[\\r\\n]/g, '')\n\n  await sgMail.send({\n    to: options.to,\n    from: 'noreply@yourdomain.com',\n    subject: sanitizedSubject,\n    text: options.text,\n  })\n}\n","text",[47,48,44],"code",{"__ignoreMap":49},"",[31,51,53],{"id":52},"webhook-signature-validation-sendgrid","Webhook Signature Validation SendGrid",[36,55,57],{"label":56},"app/api/webhooks/sendgrid/route.ts",[40,58,61],{"className":59,"code":60,"language":45},[43],"import { EventWebhook } from '@sendgrid/eventwebhook'\n\nconst verificationKey = process.env.SENDGRID_WEBHOOK_VERIFICATION_KEY!\n\nexport async function POST(req: Request) {\n  const signature = req.headers.get('x-twilio-email-event-webhook-signature')!\n  const timestamp = req.headers.get('x-twilio-email-event-webhook-timestamp')!\n\n  const body = await req.text()\n\n  const eventWebhook = new EventWebhook()\n  const ecPublicKey = eventWebhook.convertPublicKeyToECDSA(verificationKey)\n\n  const isValid = eventWebhook.verifySignature(\n    ecPublicKey,\n    body,\n    signature,\n    timestamp\n  )\n\n  if (!isValid) {\n    return new Response('Invalid signature', { status: 403 })\n  }\n\n  const events = JSON.parse(body)\n\n  for (const event of events) {\n    switch (event.event) {\n      case 'bounce':\n        await handleBounce(event.email)\n        break\n      case 'spam_report':\n        await handleSpamReport(event.email)\n        break\n    }\n  }\n\n  return new Response('OK')\n}\n",[47,62,60],{"__ignoreMap":49},[31,64,66],{"id":65},"api-key-best-practices","API Key Best Practices",[36,68,70],{"label":69},"Recommended API Key Permissions",[40,71,74],{"className":72,"code":73,"language":45},[43],"// Create separate API keys for different purposes:\n\n// 1. Sending emails (minimal permissions)\n//    - Mail Send: Full Access\n//    - All other permissions: No Access\n\n// 2. Webhook validation (read-only)\n//    - Event Notification: Read Access\n//    - All other permissions: No Access\n\n// 3. Never use full-access keys in applications\n",[47,75,73],{"__ignoreMap":49},[77,78,79],"warning-box",{},[13,80,81,84],{},[16,82,83],{},"Use minimal API key permissions."," Create separate keys for sending vs webhook handling. Enable IP access management in SendGrid for additional security.",[31,86,88],{"id":87},"security-checklist","Security Checklist",[90,91,93],"h4",{"id":92},"pre-launch-checklist","Pre-Launch Checklist",[13,95,96],{},"API key has minimal permissions",[13,98,99],{},"Webhook signatures validated",[13,101,102],{},"Email content sanitized",[13,104,105],{},"DKIM/SPF configured",[13,107,108],{},"IP access management enabled",[110,111,112,117],"stack-comparison",{},[113,114,116],"h3",{"id":115},"related-integration-stacks","Related Integration Stacks",[13,118,119],{},"Twilio SMS Integration\nWebhook Signature Patterns\nEdge Function Security",[121,122,123,129],"related-articles",{},[124,125],"related-card",{"description":126,"href":127,"title":128},"SMS security","/blog/blueprints/twilio-integration","Twilio Integration",[124,130],{"description":131,"href":132,"title":133},"Deep dive","/blog/best-practices/api-design","API Security Guide",[135,136,139,143],"cta-box",{"href":137,"label":138},"/","Start Free Scan",[31,140,142],{"id":141},"check-your-email-integration","Check Your Email Integration",[13,144,145],{},"Scan for email security issues.",{"title":49,"searchDepth":147,"depth":147,"links":148},2,[149,150,151,152,156],{"id":33,"depth":147,"text":34},{"id":52,"depth":147,"text":53},{"id":65,"depth":147,"text":66},{"id":87,"depth":147,"text":88,"children":153},[154],{"id":115,"depth":155,"text":116},3,{"id":141,"depth":147,"text":142},"blueprints","2026-02-12","Security guide for SendGrid email integration. Validate webhooks, protect API keys, prevent email injection, configure DKIM/SPF, and secure your email infrastructure.",false,"md",null,"purple",{},true,"Secure SendGrid email integration patterns.","/blog/blueprints/sendgrid-integration","10 min read","[object Object]","Article",{"title":5,"description":159},{"loc":167},"blog/blueprints/sendgrid-integration",[],"summary_large_image","zWEw29rzK2VcEVjvshAc0Bz1GXfmrgMgKIQFUAMPcmw",1775843932012]