Free Audit Let's Talk

Platform

AEO Website Research-grade Content Content Factory About Audits Rankings Pricing

Resources

Knowledge Base Research Docs FAQ

Authentication

API key creation, permissions, rate limits, and security best practices.

Overview

Every API request requires a Bearer token. Keys are scoped to your organization and carry specific permissions.

API Key Format

  • Format: aeo_live_ prefix + 32 hexadecimal characters
  • Example: aeo_live_a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4
  • Only the SHA-256 hash is stored server-side
  • The full key is shown exactly once at creation time
bash
Authorization: Bearer aeo_live_a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4

Creating a Key

  1. Log in at studio.aeocontent.ai
  2. Navigate to API Keys tab
  3. Click "Create API Key"
  4. Complete SMS verification (2FA required)
  5. Copy and store the key securely
API keys require an active paid plan (Growth, Premium, or Business). Free audit users cannot create API keys.

Permissions

Two permission levels:

NameTypeRequiredDescription
readpermissionOptionalGET endpoints - list audits, get audit details, check status, visibility reports. Use case: monitoring dashboards, reporting.
writepermissionOptionalPOST endpoints - submit new audits, trigger re-audits. Use case: automation, CI/CD pipelines.

A key can have one or both permissions. Most integrations need both read and write.

Rate Limits

Per-key limits based on plan:

NameTypeRequiredDescription
GrowthplanOptional10 requests/minute, 100 requests/day
PremiumplanOptional30 requests/minute, 500 requests/day
BusinessplanOptional60 requests/minute, 2,000 requests/day

Rate limit headers returned with every response:

bash
X-RateLimit-Limit: 30
X-RateLimit-Remaining: 29
X-RateLimit-Reset: 1708646400

When rate limited, the API returns 429 Too Many Requests.

Error Responses

json
{
  class="code-string">"error": {
    class="code-string">"code": class="code-string">"unauthorized",
    class="code-string">"message": class="code-string">"Invalid or missing API key"
  }
}

Common error codes:

  • 401 - Missing or invalid API key
  • 403 - Key lacks required permission (e.g., write for POST endpoints)
  • 429 - Rate limit exceeded

Security Best Practices

  • Store keys in environment variables, never in source code
  • Use separate keys for development and production
  • Rotate keys periodically - revoke old keys at studio.aeocontent.ai
  • Never expose keys in client-side JavaScript or public repositories
  • Use read-only keys for monitoring-only integrations
If you suspect a key has been compromised, revoke it immediately at studio.aeocontent.ai and create a new one.