Authentication and Keys
Use personal keys in the Authorization header:
Authorization: Bearer snpk_<keyId>_<secret>
Accepted scope:
posts:publish
This single scope is used for all v1 publishing endpoints.
Key lifecycle
Create
Create and manage keys from signed-in private endpoints:
POST /api/private-profile/api-keysGET /api/private-profile/api-keysPOST /api/private-profile/api-keys/:keyId/revoke
Default limits:
- Max active keys per user:
5 - Default expiry:
90 days
One-time secret reveal
The plaintext key is returned once at creation time. You cannot retrieve it again later.
Revoke and rotate
If a key is exposed:
- Revoke immediately.
- Create replacement key.
- Update secret stores in all environments.
- Validate old key no longer works.
Security rules
- Store keys in a secret manager.
- Never commit keys to git.
- Never send keys in query parameters or request bodies.
- Never include full keys in logs, tickets, or chat.