Authentication

API key creation, permissions, rate limits, and security best practices.

Overview

Every API request requires a Bearer token. Keys are scoped to your organization and carry specific permissions.

API Key Format

Format: aeo_live_ prefix + 32 hexadecimal characters
Example: aeo_live_a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4
Only the SHA-256 hash is stored server-side
The full key is shown exactly once at creation time

bash

Authorization: Bearer aeo_live_a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4

Creating a Key

Log in at my.aeocontent.ai
Navigate to API Keys tab
Click "Create API Key"
Complete SMS verification (2FA required)
Copy and store the key securely

API keys require an active paid plan (Starter, Growth, or Scale). Free audit users cannot create API keys.

Permissions

Two permission levels:

Name	Type	Required	Description
`read`	permission	Optional	GET endpoints - list audits, get audit details, check status, visibility reports. Use case: monitoring dashboards, reporting.
`write`	permission	Optional	POST endpoints - submit new audits, trigger re-audits. Use case: automation, CI/CD pipelines.

A key can have one or both permissions. Most integrations need both read and write.

Rate Limits

Per-key limits based on plan:

Name	Type	Required	Description
`Starter`	plan	Optional	10 requests/minute, 100 requests/day
`Growth`	plan	Optional	30 requests/minute, 500 requests/day
`Scale`	plan	Optional	60 requests/minute, 2,000 requests/day

Rate limit headers returned with every response:

bash

X-RateLimit-Limit: 30
X-RateLimit-Remaining: 29
X-RateLimit-Reset: 1708646400

When rate limited, the API returns 429 Too Many Requests.

Error Responses

json

{
  class="code-string">"error": {
    class="code-string">"code": class="code-string">"unauthorized",
    class="code-string">"message": class="code-string">"Invalid or missing API key"
  }
}

Common error codes:

401 - Missing or invalid API key
403 - Key lacks required permission (e.g., write for POST endpoints)
429 - Rate limit exceeded

Security Best Practices

Store keys in environment variables, never in source code
Use separate keys for development and production
Rotate keys periodically - revoke old keys at my.aeocontent.ai
Never expose keys in client-side JavaScript or public repositories
Use read-only keys for monitoring-only integrations

If you suspect a key has been compromised, revoke it immediately at my.aeocontent.ai and create a new one.

Authentication

API key creation, permissions, rate limits, and security best practices.

Overview

Every API request requires a Bearer token. Keys are scoped to your organization and carry specific permissions.

API Key Format

Format: aeo_live_ prefix + 32 hexadecimal characters
Example: aeo_live_a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4
Only the SHA-256 hash is stored server-side
The full key is shown exactly once at creation time

bash

Authorization: Bearer aeo_live_a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4

Creating a Key

Log in at my.aeocontent.ai
Navigate to API Keys tab
Click "Create API Key"
Complete SMS verification (2FA required)
Copy and store the key securely

API keys require an active paid plan (Starter, Growth, or Scale). Free audit users cannot create API keys.

Permissions

Two permission levels:

Name	Type	Required	Description
`read`	permission	Optional	GET endpoints - list audits, get audit details, check status, visibility reports. Use case: monitoring dashboards, reporting.
`write`	permission	Optional	POST endpoints - submit new audits, trigger re-audits. Use case: automation, CI/CD pipelines.

A key can have one or both permissions. Most integrations need both read and write.

Rate Limits

Per-key limits based on plan:

Name	Type	Required	Description
`Starter`	plan	Optional	10 requests/minute, 100 requests/day
`Growth`	plan	Optional	30 requests/minute, 500 requests/day
`Scale`	plan	Optional	60 requests/minute, 2,000 requests/day

Rate limit headers returned with every response:

bash

X-RateLimit-Limit: 30
X-RateLimit-Remaining: 29
X-RateLimit-Reset: 1708646400

When rate limited, the API returns 429 Too Many Requests.

Error Responses

json

{
  class="code-string">"error": {
    class="code-string">"code": class="code-string">"unauthorized",
    class="code-string">"message": class="code-string">"Invalid or missing API key"
  }
}

Common error codes:

401 - Missing or invalid API key
403 - Key lacks required permission (e.g., write for POST endpoints)
429 - Rate limit exceeded

Security Best Practices

Store keys in environment variables, never in source code
Use separate keys for development and production
Rotate keys periodically - revoke old keys at my.aeocontent.ai
Never expose keys in client-side JavaScript or public repositories
Use read-only keys for monitoring-only integrations

If you suspect a key has been compromised, revoke it immediately at my.aeocontent.ai and create a new one.