API key security
Your API key is a secret bearer credential. Anyone holding it can read and modify your organization’s data, so treat it like a password.- Keep it secret. Never commit keys to source control, embed them in client-side code, or write them to logs, error reports, or screenshots.
- Call from a server. Keep the key on your backend and proxy requests; do not ship it to browsers or mobile apps.
- Show once. The full key is shown only once at creation time on the API keys page. Copy it into your secret manager — you cannot retrieve it again later.
Rotate without downtime
Keys can be renamed, disabled and re-enabled, or deleted on the dashboard. To rotate a live key without an outage, roll a new one in before retiring the old one:Create a new key
On the API keys page, create a new key
with a recognizable name.
Deploy it
Roll the new key out to your integration and confirm traffic has moved over (
GET /v2/whoami echoes the key name a token resolves to).Organization scoping
Every API key is scoped to exactly one organization. A key can only ever read and write that organization’s data — every response is limited to the resources that organization owns, with no way to reach another organization’s data. UseGET /v2/whoami to confirm which organization and key a token resolves to.
Scoping is enforced on the server for every request, not just at sign-in. There is no
parameter that widens a key beyond its own organization. See
Authentication for details.
Transport
All API traffic uses HTTPS. Send requests only tohttps://api.creatoraudit.com/v2
and keep your client’s TLS verification enabled.
What data CreatorAudit exposes
The API serves public engagement metrics only — the kind of figures visible on a public profile or post:- Views and plays
- Likes, comments, and shares
- Follower counts
- Engagement rate
Your responsibilities
Security is shared. On your side:- Don’t log keys. Scrub credentials from application logs, crash reports, and analytics.
- Use least privilege per integration. Issue a separate key for each
integration so you can disable one without disrupting the others, and
whoamitells you which key is calling. - Store keys in a secret manager, not in plain config files or environment files committed to a repo.