CrossPostr
Docs
Dashboard
api
api
authentication
security

Authentication

Learn how to authenticate with the CrossPostr API using API keys

4 min read
Updated 7/9/2025
Edit on GitHub

API Authentication

CrossPostr uses API keys for authentication. API keys are unique identifiers that allow you to access the API on behalf of your account.

Generating API Keys

Step 1: Access Your Dashboard

  1. Log in to your CrossPostr account
  2. Navigate to SettingsAPI Keys
  3. Click Generate New API Key

Step 2: Configure Permissions

When creating an API key, you can configure specific permissions:

  • read:blogs - Read access to your blog posts
  • write:blogs - Create and update blog posts
  • delete:blogs - Delete blog posts
  • read:analytics - Access to analytics data

Step 3: Save Your API Key

⚠️ Important: Your API key will only be shown once. Make sure to copy and store it securely.

cp_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0u1v2w3x4y5z6

API Key Format

All CrossPostr API keys follow this format:

  • Prefix: cp_ (identifies this as a CrossPostr API key)
  • Length: 64 characters total
  • Characters: Alphanumeric (a-z, 0-9)

Using API Keys

Method 1: x-api-key Header (Recommended)

curl -H "x-api-key: cp_your_api_key_here" \
     https://crosspostr.ai/api/v1/blogs

Method 2: Authorization Header

curl -H "Authorization: Bearer cp_your_api_key_here" \
     https://crosspostr.ai/api/v1/blogs

Method 3: Query Parameter (Not Recommended)

For testing purposes only. Never use this method in production:

curl "https://crosspostr.ai/api/v1/blogs?api_key=cp_your_api_key_here"

Security Best Practices

1. Keep API Keys Secret

  • Never commit API keys to version control
  • Don't share API keys in public forums or chat
  • Use environment variables to store API keys
# Example .env file
CROSSPOSTR_API_KEY=cp_your_api_key_here

2. Use Environment-Specific Keys

  • Create separate API keys for development, staging, and production
  • Use different permission levels for different environments

3. Rotate API Keys Regularly

  • Rotate API keys every 90 days or when team members leave
  • Monitor API key usage in your dashboard

4. Use Least Privilege Principle

Only grant the minimum permissions required:

{
  "permissions": ["read:blogs"],
  "description": "Read-only access for analytics dashboard"
}

API Key Management

Viewing Active Keys

You can view all your active API keys in the dashboard:

  • Name: Human-readable name for the key
  • Permissions: Granted permissions
  • Last Used: When the key was last used
  • Created: When the key was created

Deactivating Keys

To deactivate an API key:

  1. Go to SettingsAPI Keys
  2. Find the key you want to deactivate
  3. Click Deactivate

⚠️ Warning: Deactivating an API key will immediately stop all applications using that key.

Key Expiration

API keys can be configured to expire automatically:

  • Never (default)
  • 30 days
  • 90 days
  • 1 year

Permissions System

Available Permissions

| Permission | Description | Endpoints | | ---------------- | ------------------- | ------------------------- | | read:blogs | Read blog posts | GET /api/v1/blogs | | write:blogs | Create/update blogs | POST /PUT /api/v1/blogs | | delete:blogs | Delete blog posts | DELETE /api/v1/blogs | | read:analytics | View analytics | GET /api/v1/analytics |

Permission Validation

When making API requests, the system validates:

  1. API key validity: Is the key active and not expired?
  2. Permission check: Does the key have required permissions?
  3. Rate limiting: Is the request within rate limits?

Error Responses

Invalid API Key

{
  "success": false,
  "error": {
    "code": "INVALID_API_KEY",
    "message": "The provided API key is invalid or expired"
  }
}

Missing API Key

{
  "success": false,
  "error": {
    "code": "MISSING_API_KEY",
    "message": "API key is required for this endpoint"
  }
}

Insufficient Permissions

{
  "success": false,
  "error": {
    "code": "INSUFFICIENT_PERMISSIONS",
    "message": "Your API key does not have the required permissions"
  }
}

Code Examples

Node.js/JavaScript

const apiKey = process.env.CROSSPOSTR_API_KEY;

const response = await fetch('https://crosspostr.ai/api/v1/blogs', {
  headers: {
    'x-api-key': apiKey,
    'Content-Type': 'application/json',
  },
});

if (!response.ok) {
  const error = await response.json();
  console.error('API Error:', error);
  return;
}

const data = await response.json();
console.log(data);

Python

import os
import requests

api_key = os.getenv('CROSSPOSTR_API_KEY')
headers = {
    'x-api-key': api_key,
    'Content-Type': 'application/json'
}

try:
    response = requests.get(
        'https://crosspostr.ai/api/v1/blogs',
        headers=headers
    )
    response.raise_for_status()
    data = response.json()
    print(data)
except requests.exceptions.RequestException as e:
    print(f'API Error: {e}')

PHP

<?php

$apiKey = $_ENV['CROSSPOSTR_API_KEY'];

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, 'https://crosspostr.ai/api/v1/blogs');
curl_setopt($ch, CURLOPT_HTTPHEADER, [
    'x-api-key: ' . $apiKey,
    'Content-Type: application/json'
]);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);

$response = curl_exec($ch);
$httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);

if ($httpCode !== 200) {
    echo "API Error: " . $response;
} else {
    $data = json_decode($response, true);
    print_r($data);
}

curl_close($ch);
?>

Testing Your API Key

Use this simple curl command to test your API key:

curl -H "x-api-key: your_api_key_here" \
     https://crosspostr.ai/api/v1/blogs?limit=1

If successful, you should receive a JSON response with your blog data.

Was this page helpful?