API keys
Workspace API keys are the credentials used to authenticate against the public API. Each key is scoped to a single workspace and carries a set of OAuth-style scopes that control what it can do.
Tokens are opaque bearer strings prefixed with ssp_live_. The prefix plus the last four characters are stored on the key record so the dashboard can display a masked version such as ssp_live_abcd…wxyz.
The full token is hashed with SHA-256 before being stored. The plaintext token is only returned in the response of the create endpoint, exactly once.
New keys are created with the following default scopes:
posts:read: read posts and post targets.posts:write: create, edit, schedule, publish, and cancel posts.accounts:read: list connected social accounts.
Each key has a last_used_at timestamp that updates on every successful authentication. Keys can also carry an expires_at; expired keys are rejected with API_KEY_EXPIRED.
Revocation sets revoked_at. Revoked keys are rejected with API_KEY_REVOKED on every subsequent request, even if the body and method match a previous successful call.
If a workspace has API debug logging enabled, every authenticated request: successful or not: is recorded in the apiRequestLog table for observability.
- Use one key per environment and per integration (production, staging, CI, third-party tool).
- Give each key a descriptive
nameso you can identify the source of a leak quickly. - Treat the plaintext token like any other production secret: store it in your secrets manager, never in source control, and never in browser-accessible storage.
- Rotate keys by creating a new one, switching traffic over, and then revoking the old one. Revocation is immediate.
- If you suspect a key is compromised, revoke it right away. The public API does not support a softer "disable" state.