Email delivery services for ‣ (‣ ) and managed services like ‣ and Sourcegraph Accounts Management System (SAMS) are currently backed by SparkPost EU.

<aside> 👋 If you need help with SparkPost, please reach out to #discuss-core-services!

</aside>

Vendor management

• Account
  • User accounts are provisioned via Okta SSO using Entitle. Users should generally only request Reporting access by default. Developer access accounts can be granted through Entitle for development purposes. See Requesting access for more details.
• Billing: Airbase Virtual Corporate Card
  • We are billed based on emails delivered according to our usage plan, included currently up to 250,000 (as of Dec 2022), after which we are billed for overages.
• API Keys: list - see Vendor integrations for more details
• Tech Ops Systems List record: ‣

Requesting access

Access to SparkPost is exclusively granted through Entitle on a per-use basis:

• By default, teammates should only request Reporting-level access (Entitle link).
• For development purposes (e.g. setting up Vendor integrations), employees can request Developer-level access (Entitle link).

<aside> ❗ Note that all SparkPost access must be done via the EU version of the service, on app.**eu**.sparkpost.com.

</aside>

Also refer to Security.

Vendor integrations

In general, for each integration with SparkPost, we create the following in SparkPost:

• A subaccount corresponding to the integration
  • Integrations must be designed such that all usage and access can be controlled on a per-subaccount basis. API tokens distributed to integrations are scoped to individual subaccounts with very limited permissions, and can be disabled individually.
  • For Cloud, each Sourcegraph instance gets its own individual subaccount for isolation; see ‣ for more details.
  • For MSP services, it is advised to use your service ID as the subaccount for easier bookkeeping, e.g. “sourcegraph-accounts” in both places.
• API keys associated with the subaccount:

  • Separate API keys for your deployments and local development. For example,

    • An API key named “Sourcegraph Accounts (dev)” is used for dev deployment (accounts.sgdev.org) and local testing.
    • An API key named “Sourcegraph Accounts” is solely used for production deployment (accounts.sourcegraph.com).

    <aside> 🚨 For best security practices, NEVER share the API key between production deployment and any other use cases.

    </aside>

  • Each API key should only be granted with the following permissions (do not grant additional management capabilities):

    • Send via SMTP , if you want to send emails over the SMTP protocol
    • Transmissions: Read/Write, if you want to send emails over the SparkPost API
      • Templates: Read-only is required as well if you want to use Templates