API keys
Generate, rotate, and manage API keys per site.
API keys
API keys allow external applications to access the IANews API on behalf of a specific site. Each key is scoped to a single site and can only read or write data within that site's boundary.
Generate an API key
Navigate to API keys
Go to Sites → select your site → API Keys.
Create a new key
Click "Generate New Key".
Name the key
Enter a descriptive name for the key (e.g., "Mobile App", "CI/CD Integration", "Analytics Dashboard"). This helps you identify which application uses which key.
Copy the key immediately
The full API key is displayed once. Copy it and store it securely. You will not be able to see the full key again after closing the dialog.
Treat API keys like passwords. Never expose them in client-side code, public git repositories, or application logs. Use environment variables or a secrets manager to store them.
Using the API key
Include your API key in every request using one of these methods:
Header (recommended):
curl -H "X-API-Key: sk_live_abc123..." \
https://api.earlyforge.ai/api/trends?category=technologyBearer token:
curl -H "Authorization: Bearer sk_live_abc123..." \
https://api.earlyforge.ai/api/articlesBoth methods are equivalent. The X-API-Key header is preferred for clarity.
Key scoping
Each API key is scoped to a single site. A key generated for "TechPulse" can only access TechPulse articles, briefs, trends, and settings. It cannot access data from other sites in your organization.
If you need to access multiple sites programmatically, generate a separate key for each site.
Rotate a key
Key rotation replaces an old key with a new one. This is a security best practice you should follow quarterly, or immediately if a key may have been compromised.
Generate a new key
Follow the steps above to create a new API key for the same site.
Update your applications
Replace the old key with the new one in all applications and services that use it.
Revoke the old key
Once all applications are updated, revoke the old key (see below).
Revoke a key
- Go to Sites → select your site → API Keys.
- Find the key you want to revoke in the list.
- Click "Revoke" next to the key.
- Confirm the revocation.
Revocation is immediate and cannot be undone. Any application using the revoked key will receive 401 Unauthorized responses.
Rate limits
API calls made with your key count toward your plan's monthly API call limit:
| Plan | API calls/month |
|---|---|
| Free | Not available |
| Pro | 10,000 |
| Business | 100,000 |
| Enterprise | Unlimited |
Additionally, per-hour rate limits apply based on your plan tier. See the Plans page for details.
Security best practices
- Rotate keys quarterly -- Schedule regular key rotation to minimize exposure.
- Use separate keys per application -- If a key is compromised, you only need to update one integration.
- Revoke unused keys -- Delete keys for decommissioned applications.
- Monitor usage -- Check the Usage dashboard for unexpected spikes in API calls.
- Never commit keys to source control -- Use
.envfiles, CI/CD secrets, or a vault.
What's next?
- Manage sites -- Create and configure sites
- Style guide -- Define editorial voice for AI-generated content
- Advanced configuration -- Webhooks, CMS connections, and more