Skip to main content
CreatorAudit authenticates every request with an organization-scoped API key over HTTPS, and each key only ever sees the data its own organization owns. This page covers how to handle keys safely, how scoping works, and exactly what data the API returns.

API key security

Your API key is a secret bearer credential. Anyone holding it can read and modify your organization’s data, so treat it like a password.
  • Keep it secret. Never commit keys to source control, embed them in client-side code, or write them to logs, error reports, or screenshots.
  • Call from a server. Keep the key on your backend and proxy requests; do not ship it to browsers or mobile apps.
  • Show once. The full key is shown only once at creation time on the API keys page. Copy it into your secret manager — you cannot retrieve it again later.
If a key is ever exposed, disable it immediately on the dashboard and create a replacement. Disabled keys stop working at once.

Rotate without downtime

Keys can be renamed, disabled and re-enabled, or deleted on the dashboard. To rotate a live key without an outage, roll a new one in before retiring the old one:
1

Create a new key

On the API keys page, create a new key with a recognizable name.
2

Deploy it

Roll the new key out to your integration and confirm traffic has moved over (GET /v2/whoami echoes the key name a token resolves to).
3

Disable the old key

Once nothing is using it, disable the old key. You can re-enable it briefly if you need to roll back, then delete it when you’re confident.
See Authentication for the full bearer-token flow.

Organization scoping

Every API key is scoped to exactly one organization. A key can only ever read and write that organization’s data — every response is limited to the resources that organization owns, with no way to reach another organization’s data. Use GET /v2/whoami to confirm which organization and key a token resolves to.
Scoping is enforced on the server for every request, not just at sign-in. There is no parameter that widens a key beyond its own organization. See Authentication for details.

Transport

All API traffic uses HTTPS. Send requests only to https://api.creatoraudit.com/v2 and keep your client’s TLS verification enabled.

What data CreatorAudit exposes

The API serves public engagement metrics only — the kind of figures visible on a public profile or post:
  • Views and plays
  • Likes, comments, and shares
  • Follower counts
  • Engagement rate
CreatorAudit does not collect or expose private account data or direct messages. There is no private or DM data in any response.

Your responsibilities

Security is shared. On your side:
  • Don’t log keys. Scrub credentials from application logs, crash reports, and analytics.
  • Use least privilege per integration. Issue a separate key for each integration so you can disable one without disrupting the others, and whoami tells you which key is calling.
  • Store keys in a secret manager, not in plain config files or environment files committed to a repo.

Security & compliance questions

For security or compliance questions, contact support@creatoraudit.com.