Keyboard Shortcuts
ctrl + shift + ? :
Show all keyboard shortcuts
ctrl + g :
Navigate to a group
ctrl + shift + f :
Find
ctrl + / :
Quick actions
esc to dismiss
2FA
account settings
accounts
activity log
albums
aliases
analytics
Android app
API
app
attachments
badges
banning
billing
bouncing
calendars
chats
cover photo
credit card on file
CSV files
dark mode
databases
date format
delivery history
digests
direct add
directory
donations
downgrading
downloading
email address
Emailed Photos album
Enterprise groups
events
exporting
extra member data
FAQ
files
folders
footers
GitHub
groups
Groups.io mail servers
guidelines
hashtags
home pages
HTML editor
integrations
iOS app
IP addresses
items per page
JSON files
keyboard shortcuts
language preference
locking
logging in
Markdown editor
member labels
member list
members
messages
mobile app
moderation settings
moderators
notices
notifications
owners
passwords
past members
payers
photos
polls
privacy settings
private groups
profiles
public groups
reposting messages
signatures
Slack synchronization
social logins
spam control settings
spam reported message
special notices
sponsorships
storage space
subgroups
subscriptions
summaries
Tapbacks
text editor
threading
timezone
topics
two-factor authentication
unlocking
upgrading
username
videos
visibility
web/app notifications
wikis
Changing your email address
Creating a Groups.io account
Customizing your account profile and group profiles
Dealing with bouncing accounts
Deleting your account
Displaying your account settings
Exporting your account data
Logging in to your account
Logging out of your account
Merging accounts
Recovering your account if you enter an incorrect email address
Setting dark mode
Setting or changing your social login preference
Setting the number of items to show on group web pages
Setting your language, time, and date display preferences
Setting your preferred text editor
Understanding Groups.io accounts
About group calendars
Adding calendar events
Adding events from outside calendar invitations
Calendar settings
Downloading event iCalendar (ICS) files
Editing or deleting calendar events
Subscribing to a group's calendar
Using the RSVP feature
Viewing a group's calendar and events
Your Calendar home page
Changing the group's cover photo and icon
Creating a group
Customizing group settings
Deleting a group or subgroup
General settings
Group aliases
Group and content restrictions
Inviting people to join a group
Joining a group by email
Joining a publicly listed group through the group's website
Joining or leaving groups
Leaving a group
Locked Group notice
Locking and unlocking groups and subgroups
Promoting your group
Receiving a notice that you were added to a group
Renaming a group
Responding to an invitation to join a group
Standard group email addresses
Upgrading a group
Visiting your groups' websites
Applying hashtags to existing topics
Applying hashtags to new topics
Controlling the use and creation of hashtags
Creating a hashtag
Deleting a hashtag
Editing a hashtag
Hashtag uses and notes
How hashtags are displayed in the group archive
System hashtags and associated notifications
Viewing the hashtags in a group
Adding members directly
Adding moderator notes
Adding or updating members' display names
Banning or unbanning members
Changing a member's email address
Changing an owner or moderator back to a regular member
Displaying an individual member's record
Displaying the member list
Handling members marked NC
Handling pending members
Inviting people to join a group
Making a member an owner or moderator
Message to Member notice
Moderating individual members
Removed Member notice
Removing members from the group
Reviewing members who were removed because of reported spam
Synchronizing group members with a file of email addresses
Synchronizing group members with Slack teams
Using member labels
Viewing information about past members
About footers
Controlling how much email you receive from a group
Deleting individual messages
Downloading a group's message archive
Editing the content of messages in the archive
Footers in individual email messages
Group owner email messages
Handling pending messages
Message formatting settings
Message policy settings
Message reposting settings
Moderating topics, messages, and attachments
Reporting messages to moderators or Groups.io Support
Reposting messages
Responding to a "You have been removed because of reported spam" message from Groups.io
Searching for messages in the archive
Seeing copies of your own messages that you email to groups
Using email to send or reply to group messages
Using the group's website or app to post new topics or reply to existing messages
Using the Like feature
Viewing topics and messages on group websites
About notices
Banned Member notice
Creating, editing, or deleting notices
Direct Add notice
Displaying the Notices page
Goodbye notice
Group Guidelines notice
Group Sponsorship notice
Invite notice
Locked Group notice
Locked Topic notice
Message to Member notice
Monthly Reminder notice
Pending Subscription notice
Rejected Message notice
Rejected Subscription notice
Removed Member notice
Welcome notice
Applying hashtags to existing topics
Applying hashtags to new topics
Deleting topics
Editing the properties of topics in the archive
Locked Topic notice
Locking and unlocking topics
Merging topics
Moderating topics, messages, and attachments
Pinning topics and wiki pages
Splitting topics
Topic icons
Topic threading algorithm
Topics home page
Using email to send or reply to group messages
Using the group's website or app to post new topics or reply to existing messages
Using the Like feature
Viewing topics and messages on group websites
About the Wiki feature
Adding a table of contents to a wiki page
Adding, editing, or deleting wiki footers
Adding, editing, or deleting wiki sidebars
Creating and editing wiki pages
Deleting wiki pages
Displaying a specific wiki page
Viewing a group's wiki
Viewing a wiki page's revision history
Wiki settings
- Help Center
- Index
Overview
API keys allow you to authenticate with the Groups.io application programming interface (API) without using your password. This feature allows users to generate, manage, and use API keys as an alternative to cookie-based authentication. Each key can be individually revoked if it is compromised.
Creating an API key
- Display your account settings.
- Desktop browser: In the left menu, select API Keys.
Mobile device: Tap the More icon at the bottom of the page, then tap API Keys on the More menu.
Tip: The direct link to the API Keys page is https://groups.io/settings/apikeys. - On the resulting page:
- (Required) In the Key Name field, enter a descriptive name for the key (for example, CI/CD Pipeline or Mobile App).
- (Optional but recommended) In the Description field, document the purpose of the key.
- Click or tap Create API Key.
The page refreshes and displays the full 64-character key in a green banner at the top of the page. The key name and description (if you provided one) are displayed in a table titled Your API Keys at the bottom of the page. - ! Important: Immediately copy and securely store the full key that is shown in the green banner. You will not be able to display it again.
Viewing API keys
- Display your account settings.
- Desktop browser: In the left menu, select API Keys.
Mobile device: Tap the More icon at the bottom of the page, then tap API Keys on the More menu.
Tip: The direct link to the API Keys page is https://groups.io/settings/apikeys.
Note: The full key is never shown again after creation.
Revoking or deleting an API key
You can revoke a key to disable it without deleting it, which preserves an audit trail. Deleting a key permanently removes it from the system.
To revoke or delete an API key:
- Display your account settings.
- Desktop browser: In the left menu, select API Keys.
Mobile device: Tap the More icon at the bottom of the page, then tap API Keys on the More menu.
Tip: The direct link to the API Keys page is https://groups.io/settings/apikeys. - In the key’s row in the Your API Keys table, click or tap the Revoke or Delete button (as applicable).
- When the confirmation popup appears, click or tap OK.
Best practices for end users
- Key generation
- Use descriptive names. Examples: CI/CD Pipeline, Mobile App
- Add descriptions to remember the keys’ purpose.
- Store keys immediately because they cannot be retrieved later.
- Key storage
- Never share API keys via email or chat.
- Use environment variables in applications.
- Consider using secrets management tools.
- Key rotation
- Generate new keys before revoking old ones.
- Update applications with new keys.
- Monitor last used dates to identify unused keys.
- Security
- Treat API keys like passwords.
- Revoke compromised keys immediately.
- Delete unused keys regularly
Best practices for developers
- Using API keys
```bash
curl -H "Authorization: Bearer YOUR_API_KEY" https://groups.io/api/v1/getsubs
``` - Error handling
- Check for 401 Unauthorized responses.
- Implement key rotation in applications.
- Log API errors for debugging. Never log the key itself.
- Migration from cookie authentication
- API keys provide stateless authentication.
- Better for automated systems and CI/CD.
- No session management required.
Technical architecture
- Database schema
API keys are stored in the 'apikeys' table with the following structure:
- id: Unique identifier for the API key
- userid: ID of the user who owns the key
- name: User-defined name for the key (required)
- description: Optional description of the key's purpose
- keyprefix: First 8 characters of the key for efficient database lookups
- keyhash: BCrypt hash of the full key for secure storage
- status: Active (0) or Revoked (1)
- lastused: Timestamp of last API call using this key
- expiresat: Optional expiration date (if not set, key never expires)
- created/updated/version: Standard audit fields
- Key generation and storage
- Keys are 64 characters long (32 random bytes converted to hexadecimal).
- The full key is shown only once during creation.
- Keys are stored using BCrypt hashing (same security as passwords).
- First 8 characters are stored as plaintext for efficient lookup.
- Keys cannot be recovered if lost. Users must generate new ones.
- Authentication flow
- Client includes API key in the 'Authorization' header as a Bearer token:
```
Authorization: Bearer [64-character-api-key]
``` - Server extracts the key prefix (first 8 chars) for database lookup.
- Server retrieves potential matching keys from database.
- Server verifies the full key against the BCrypt hash.
- If valid and active, the associated user is authenticated.
- Last used timestamp is updated asynchronously.
- Client includes API key in the 'Authorization' header as a Bearer token:
Security considerations
- Key security
- Keys have same authentication power as passwords.
- Keys should be stored securely (environment variables, secrets management).
- Never commit keys to version control.
- Rotate keys periodically.
- Status management
- Active keys can authenticate API requests.
- Revoked keys are disabled but retained for audit purposes.
- Expired keys (if expiration is set) automatically become inactive.
- Usage tracking
Last used timestamp:
- Helps identify inactive keys.
- Can be used to detect unauthorized usage.
- Assists in key rotation decisions.
API implementation
- Authentication priority
The API server checks authentication in this order:
- API key in Authorization header (if present)
- Cookie-based authentication (existing method)
- Supported endpoints
All existing API endpoints that require authentication support API key authentication. No changes to endpoint behavior; only the authentication method differs.
- Error handling
- Invalid/missing API key returns standard authentication error.
- Revoked keys return authentication error.
- Expired keys return authentication error.
- No distinction in error messages (security through obscurity).
Limitations and considerations
- No scope limitations: API keys have full access to all of the user's permissions (same as logging in).
- No IP restrictions: Keys can be used from any IP address.
- No rate limiting: Per-key rate limiting is not implemented (uses existing user rate limits).
- Single user association: Each key belongs to exactly one user.
- No automatic expiration: Keys do not expire unless they are explicitly set to do so.
Related help topics
Updated: October 9, 2025
About
Terms
Privacy Policy
More
More Options
More
2FA
account settings
accounts
activity log
albums
aliases
analytics
Android app
API
app
attachments
badges
banning
billing
bouncing
calendars
chats
cover photo
credit card on file
CSV files
dark mode
databases
date format
delivery history
digests
direct add
directory
donations
downgrading
downloading
email address
Emailed Photos album
Enterprise groups
events
exporting
extra member data
FAQ
files
folders
footers
GitHub
groups
Groups.io mail servers
guidelines
hashtags
home pages
HTML editor
integrations
iOS app
IP addresses
items per page
JSON files
keyboard shortcuts
language preference
locking
logging in
Markdown editor
member labels
member list
members
messages
mobile app
moderation settings
moderators
notices
notifications
owners
passwords
past members
payers
photos
polls
privacy settings
private groups
profiles
public groups
reposting messages
signatures
Slack synchronization
social logins
spam control settings
spam reported message
special notices
sponsorships
storage space
subgroups
subscriptions
summaries
Tapbacks
text editor
threading
timezone
topics
two-factor authentication
unlocking
upgrading
username
videos
visibility
web/app notifications
wikis
About
Features
Pricing
Updates
Terms
Help
Changing your email address
Creating a Groups.io account
Customizing your account profile and group profiles
Dealing with bouncing accounts
Deleting your account
Displaying your account settings
Exporting your account data
Logging in to your account
Logging out of your account
Merging accounts
Recovering your account if you enter an incorrect email address
Setting dark mode
Setting or changing your social login preference
Setting the number of items to show on group web pages
Setting your language, time, and date display preferences
Setting your preferred text editor
Understanding Groups.io accounts
About group calendars
Adding calendar events
Adding events from outside calendar invitations
Calendar settings
Downloading event iCalendar (ICS) files
Editing or deleting calendar events
Subscribing to a group's calendar
Using the RSVP feature
Viewing a group's calendar and events
Your Calendar home page
Changing the group's cover photo and icon
Creating a group
Customizing group settings
Deleting a group or subgroup
General settings
Group aliases
Group and content restrictions
Inviting people to join a group
Joining a group by email
Joining a publicly listed group through the group's website
Joining or leaving groups
Leaving a group
Locked Group notice
Locking and unlocking groups and subgroups
Promoting your group
Receiving a notice that you were added to a group
Renaming a group
Responding to an invitation to join a group
Standard group email addresses
Upgrading a group
Visiting your groups' websites
Applying hashtags to existing topics
Applying hashtags to new topics
Controlling the use and creation of hashtags
Creating a hashtag
Deleting a hashtag
Editing a hashtag
Hashtag uses and notes
How hashtags are displayed in the group archive
System hashtags and associated notifications
Viewing the hashtags in a group
Adding members directly
Adding moderator notes
Adding or updating members' display names
Banning or unbanning members
Changing a member's email address
Changing an owner or moderator back to a regular member
Displaying an individual member's record
Displaying the member list
Handling members marked NC
Handling pending members
Inviting people to join a group
Making a member an owner or moderator
Message to Member notice
Moderating individual members
Removed Member notice
Removing members from the group
Reviewing members who were removed because of reported spam
Synchronizing group members with a file of email addresses
Synchronizing group members with Slack teams
Using member labels
Viewing information about past members
About footers
Controlling how much email you receive from a group
Deleting individual messages
Downloading a group's message archive
Editing the content of messages in the archive
Footers in individual email messages
Group owner email messages
Handling pending messages
Message formatting settings
Message policy settings
Message reposting settings
Moderating topics, messages, and attachments
Reporting messages to moderators or Groups.io Support
Reposting messages
Responding to a "You have been removed because of reported spam" message from Groups.io
Searching for messages in the archive
Seeing copies of your own messages that you email to groups
Using email to send or reply to group messages
Using the group's website or app to post new topics or reply to existing messages
Using the Like feature
Viewing topics and messages on group websites
About notices
Banned Member notice
Creating, editing, or deleting notices
Direct Add notice
Displaying the Notices page
Goodbye notice
Group Guidelines notice
Group Sponsorship notice
Invite notice
Locked Group notice
Locked Topic notice
Message to Member notice
Monthly Reminder notice
Pending Subscription notice
Rejected Message notice
Rejected Subscription notice
Removed Member notice
Welcome notice
Applying hashtags to existing topics
Applying hashtags to new topics
Deleting topics
Editing the properties of topics in the archive
Locked Topic notice
Locking and unlocking topics
Merging topics
Moderating topics, messages, and attachments
Pinning topics and wiki pages
Splitting topics
Topic icons
Topic threading algorithm
Topics home page
Using email to send or reply to group messages
Using the group's website or app to post new topics or reply to existing messages
Using the Like feature
Viewing topics and messages on group websites
About the Wiki feature
Adding a table of contents to a wiki page
Adding, editing, or deleting wiki footers
Adding, editing, or deleting wiki sidebars
Creating and editing wiki pages
Deleting wiki pages
Displaying a specific wiki page
Viewing a group's wiki
Viewing a wiki page's revision history
Wiki settings