SendGrid
Collaborationsystem_type: "sendgrid"Proxy SendGrid Mail Send and Marketing API calls with PQC-sealed API keys and signed event webhook payloads.
Overview#
The SendGrid connector seals SendGrid API keys in QuantaVault and proxies Mail Send, Marketing Campaigns, and Contact Management API calls. Inbound event webhook payloads are verified against the sealed event webhook public key before forwarding.
https://api.quantaseal.io/api/v2/proxy/outboundAuth header:
X-API-Key: qs_live_...Prerequisites#
- 1A SendGrid account with a verified sender domain
- 2A SendGrid API key with the required permissions (Mail Send, Marketing, etc.)
- 3A QuantaSeal API key
Configuration#
Follow these steps to connect SendGrid to QuantaSeal. You can configure integrations via the Admin Console or directly via the API.
- 1
In SendGrid Settings → API Keys, create a key with Mail Send and Marketing permissions.
- 2
Seal the key: POST /api/v2/vault/seal with credential_type: api_key.
- 3
Create the integration: POST /api/v2/integrations with system_type: sendgrid.
Authentication Types#
Store the SendGrid API key as api_key in QuantaVault. For inbound event webhook verification, store the Event Webhook Signed Public Key as webhook_secret.
All credential types are sealed in QuantaVault with ML-KEM-768 + AES-256-GCM and wrapped by your tenant AWS KMS CMK before storage. See the Vault API reference for the full list of credential types and seal/unseal endpoints.
Available Operations#
QuantaSeal enforces a default-deny operation policy. Only operations listed in your integration's allowed_operations array will be permitted. Add operations when creating or updating the integration.
| Operation | Description |
|---|---|
send_email | Send a transactional email via SendGrid Mail Send API. |
send_template | Send an email using a dynamic template. |
add_contact | Add or update a Marketing Campaigns contact. |
list_contacts | List Marketing Campaigns contacts. |
get_stats | Retrieve email delivery statistics. |
Code Example#
Every proxy call returns a HybridCryptoEnvelope - the response is ML-KEM-768 key-encapsulated, AES-256-GCM encrypted, and signed with ML-DSA-65 + HMAC-SHA-512. Verify both signatures before trusting the decrypted payload.
curl -X POST https://api.quantaseal.io/api/v2/proxy/outbound \
-H "X-API-Key: qs_live_your_key_here" \
-H "Content-Type: application/json" \
-d '{
"integration_id": "int_01HZ9X2K4MNPQRSENDGRID001",
"operation": "send_email",
"payload": {
"personalizations": [{"to": [{"email": "user@example.com"}]}],
"from": {"email": "noreply@quantaseal.io", "name": "QuantaSeal"},
"subject": "Your quantum-safe credentials are ready",
"content": [{"type": "text/plain", "value": "Your QuantaSeal account has been provisioned."}]
}
}'
# Response - HybridCryptoEnvelope
{
"success": true,
"encrypted": {
"ciphertext_kem": "<base64 - 1088 bytes ML-KEM-768>",
"ciphertext_data": "<base64 - AES-256-GCM encrypted SendGrid response>",
"nonce": "<base64 - 12 bytes>",
"tenant_id": "ten_01HZ9X2K4MNPQR5STUVWXYZ00",
"algorithm": "ML-KEM-768"
},
"signature": {
"pqc_signature": "<base64 - ~3309 bytes ML-DSA-65>",
"hmac_signature": "<base64 - 64 bytes HMAC-SHA-512>",
"tenant_id": "ten_01HZ9X2K4MNPQR5STUVWXYZ00",
"algorithm": "ML-DSA-65+HMAC-SHA-512"
},
"audit_event_id": "aud_01HZ9XABCDEF"
}client.encryption.decrypt(envelope). Both the ML-DSA-65 signature and the HMAC-SHA-512 signature must pass - QuantaSeal uses a bitwise & check, not short-circuit and.Troubleshooting#
403 - The from address does not match a verified Sender Identity
Verify the sender domain or email address in SendGrid Settings → Sender Authentication before sending.
401 - API key does not have Mail Send permission
Regenerate the SendGrid API key with Mail Send enabled and update the vault entry via POST /api/v2/vault/rotate/{credential_id}.