An API your platform team won't roll their eyes at.
PolarGX was built modern, not bolted on. Typed SDKs, signed webhooks, idempotency keys, scoped tokens, OpenAPI spec, sandbox. The boring infrastructure done right so you can ship the interesting integrations faster.
Free sandbox · No credit card · OpenAPI 3.1 spec
Your first send in 30 seconds
Drop in a key, point at a recipient, send. Every endpoint is the simplest thing that could possibly work — and every response includes everything you need to audit it later.
- Bearer-token auth, no per-request signing
- JSON request and response everywhere
- Idempotency key supported on every POST
- Standard rate-limit headers
curl https://api.polargx.com/v1/messages \
-H "Authorization: Bearer ${POLARGX_API_KEY}" \
-H "Idempotency-Key: msg_2026-04-27_a3f5" \
-H "Content-Type: application/json" \
-d '{
"to": "user@example.com",
"channel": "email",
"template_id": "tmpl_welcome_v3",
"variables": {
"first_name": "Alex",
"trial_ends_at": "2026-05-11"
}
}'
# 200 OK
# {
# "id": "msg_01HZP4...",
# "status": "queued",
# "channel": "email",
# "created_at": "2026-04-27T18:14:22Z"
# }SDKs and language support
Honest about what's there. Active SDKs are typed against the OpenAPI spec and published to package registries. Anything not on this list, the REST API has you covered today.
pip install polargx. Type hints from OpenAPI. Async client included.
npm i @polargx/node. Full type definitions. Works in Node, Deno, and edge runtimes.
Generated from OpenAPI. Track progress in the changelog.
Generated from OpenAPI. Track progress in the changelog.
Available via OpenAPI codegen today. Native SDK on roadmap by demand.
OpenAPI 3.1 spec generates clients for every major language toolchain.
Webhooks done right
Webhooks are where most platforms cut corners and most integrations break. We've been on the receiving end of those — so we built the surface we wished others had.
- HMAC-SHA256 signing. Every payload signed with your secret. Verify in three lines of code.
- Idempotency keys. Every event has a deterministic ID — safe to deduplicate without state.
- Exponential retries. Failed deliveries retry up to 24 hours with jitter. No thundering herd on recovery.
- 7-day replay. Replay any event from the last week via API, individually or in bulk by event type.
- Per-environment endpoints. Sandbox and production fire to separate URLs.
import crypto from 'crypto'
export function verify(req) {
const sig = req.headers['polargx-signature']
const ts = req.headers['polargx-timestamp']
const raw = req.rawBody // capture before JSON parse
const expected = crypto
.createHmac('sha256', process.env.POLARGX_WEBHOOK_SECRET)
.update(`${ts}.${raw}`)
.digest('hex')
if (!crypto.timingSafeEqual(
Buffer.from(sig, 'hex'),
Buffer.from(expected, 'hex')
)) {
throw new Error('Invalid signature')
}
}Security model
The controls your security team will ask about, plus the ones they'll appreciate finding without asking.
Scoped tokens
Bearer tokens with permission scopes (send-only, read-only, full). Rotate without redeploying. Audit log every issuance and use.
OAuth 2.0 + PKCE
For user-acting integrations. Standard authorization code flow with PKCE protection. Refresh tokens issued separately and revocable.
IP allowlisting
Enterprise customers can restrict tokens to specific CIDR ranges. Useful for server-only workloads behind static IPs.
HMAC webhook signing
SHA-256 with per-customer secret. Timestamp included to prevent replay. See the Webhooks section for verification code.
TLS 1.2 / 1.3 only
Older protocols disabled at the load balancer. Modern cipher suites only. HSTS enforced.
Audit logs
Every API call logged with token, principal, IP, and outcome. Exportable to your SIEM on Enterprise plans.
For the broader security posture — encryption, infrastructure, vulnerability management, incident response — see the Security Policy.
Three weeks, not three months
We built migration tooling for the platforms enterprise teams are most often leaving. The pattern is the same: export → migrate → validate in sandbox → cut over with parallel-running.
Audiences, journeys, templates, and historical event data. Catalog included.
Canvas → journeys, segments → audiences, templates with parity tested.
Workflows, segments, broadcasts. Triggered messages preserved end-to-end.
We replace both — sending and event pipeline land on the same data plane. Typically the largest TCO win.
Lists, flows, templates, and historical event data preserved.
Our migration engineer pairs with yours. Most home-grown ESPs migrate cleanly in four to six weeks.
Developer FAQ
Which languages have official SDKs?
Python and TypeScript / Node are our active SDK languages, both typed against an OpenAPI specification. Go and Ruby SDKs are on the roadmap. Any language with an HTTPS client can call the REST API directly — every endpoint and webhook payload is documented.
How are webhooks signed and retried?
Every webhook payload is signed with HMAC-SHA256 using a per-customer signing secret. Failed deliveries are retried with exponential backoff for up to 24 hours. Each delivery includes an idempotency key so your handler can deduplicate without server-side state. Replays of the last 7 days of events are available via API.
How does authentication work?
Server-to-server calls use bearer tokens scoped to specific permissions (e.g., send-only, read-only, full). User-acting calls use OAuth 2.0 authorization code with PKCE. Enterprise customers can additionally restrict tokens to specific source IP ranges.
Is there a sandbox?
Yes — every account includes a sandbox environment with the same API surface as production. Sends route to seed inboxes (or no-op for test mode), webhook deliveries fire normally, and analytics populate so you can build end-to-end before going live. No credit card to enable.
Are there idempotency keys?
Yes. POST endpoints accept an Idempotency-Key header. Repeated requests with the same key return the original response within a 24-hour window — useful when retrying after network errors or running test suites.
What rate limits apply?
Rate limits scale with plan tier and are returned in standard X-RateLimit-Limit / X-RateLimit-Remaining / X-RateLimit-Reset response headers. 429 responses include Retry-After. Enterprise customers can negotiate per-endpoint rate limits and burst allowances.
Where are your docs?
API reference and integration guides are published on the documentation site, organized by capability (sending, audiences, journeys, attribution, webhooks). Each endpoint includes runnable examples and OpenAPI-derived schemas.
How do migrations from Iterable, Braze, Customer.io, or SendGrid + Segment work?
PolarGX ships migration tooling for the common origin platforms. The pattern: export your audiences, templates, and journeys → run them through our migrator → validate in sandbox → cut over with parallel-running for one to four weeks. We provide a dedicated migration engineer for Enterprise customers. Most migrations land in three to six weeks total.
Is there an OpenAPI / Swagger spec?
Yes. The OpenAPI 3.1 spec is published and used to generate our SDKs. You can use it to generate clients in any language your toolchain supports.
Boring infrastructure. Interesting builds.
Get an API key in two minutes. Sandbox is free, the docs are real, and we read every email to dev@polargx.com.