> ## Documentation Index
> Fetch the complete documentation index at: https://docs.creatoraudit.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Security & data handling

> How CreatorAudit secures API access, scopes data to your organization, and what data the API exposes

CreatorAudit authenticates every request with an organization-scoped API key over
HTTPS, and each key only ever sees the data its own organization owns. This page
covers how to handle keys safely, how scoping works, and exactly what data the API
returns.

## API key security

Your API key is a secret bearer credential. Anyone holding it can read and modify
your organization's data, so treat it like a password.

* **Keep it secret.** Never commit keys to source control, embed them in
  client-side code, or write them to logs, error reports, or screenshots.
* **Call from a server.** Keep the key on your backend and proxy requests; do not
  ship it to browsers or mobile apps.
* **Show once.** The full key is shown only once at creation time on the
  [API keys page](https://app.creatoraudit.com/app/api-keys). Copy it into your
  secret manager — you cannot retrieve it again later.

<Warning>
  If a key is ever exposed, disable it immediately on the dashboard and create a
  replacement. Disabled keys stop working at once.
</Warning>

### Rotate without downtime

Keys can be renamed, disabled and re-enabled, or deleted on the dashboard. To
rotate a live key without an outage, roll a new one in before retiring the old one:

<Steps>
  <Step title="Create a new key">
    On the [API keys page](https://app.creatoraudit.com/app/api-keys), create a new key
    with a recognizable name.
  </Step>

  <Step title="Deploy it">
    Roll the new key out to your integration and confirm traffic has moved over (`GET
            /v2/whoami` echoes the key name a token resolves to).
  </Step>

  <Step title="Disable the old key">
    Once nothing is using it, disable the old key. You can re-enable it briefly if you
    need to roll back, then delete it when you're confident.
  </Step>
</Steps>

See [Authentication](/api-reference/authentication) for the full bearer-token flow.

## Organization scoping

Every API key is scoped to exactly one organization. A key can only ever read and
write that organization's data — every response is limited to the resources that
organization owns, with no way to reach another organization's data. Use
`GET /v2/whoami` to confirm which organization and key a token resolves to.

<Note>
  Scoping is enforced on the server for every request, not just at sign-in. There is no
  parameter that widens a key beyond its own organization. See
  [Authentication](/api-reference/authentication) for details.
</Note>

## Transport

All API traffic uses HTTPS. Send requests only to `https://api.creatoraudit.com/v2`
and keep your client's TLS verification enabled.

## What data CreatorAudit exposes

The API serves **public engagement metrics only** — the kind of figures visible on
a public profile or post:

* Views and plays
* Likes, comments, and shares
* Follower counts
* Engagement rate

CreatorAudit does **not** collect or expose private account data or direct
messages. There is no private or DM data in any response.

## Your responsibilities

Security is shared. On your side:

* **Don't log keys.** Scrub credentials from application logs, crash reports, and
  analytics.
* **Use least privilege per integration.** Issue a separate key for each
  integration so you can disable one without disrupting the others, and `whoami`
  tells you which key is calling.
* **Store keys in a secret manager**, not in plain config files or environment
  files committed to a repo.

## Security & compliance questions

For security or compliance questions, contact
[support@creatoraudit.com](mailto:support@creatoraudit.com).
