API Key
Also known as: API token, Authentication key
Quick definition
An API key is a unique string used to authenticate API requests — proving the request comes from a valid, authorized client. API keys are typically passed in HTTP headers (Authorization: Bearer ...) or query strings; they identify both the requester and what they're allowed to do.
Contents
What is an API key?
An API key is a unique credential that an API client uses to authenticate its requests to a server. The server validates the key to confirm the request comes from an authorized application or user, then either fulfills the request or rejects it. API keys serve as the digital equivalent of an ID badge — they identify the requester and (often) what permissions they have.
In the social media context, every scheduling API (CodivUpload, Buffer, Postiz, Ayrshare, Upload-Post) issues API keys to paying users. CodivUpload's keys typically follow the format `cdv_` followed by a long random string. The user passes the key in the HTTP Authorization header on every API request: `Authorization: Bearer cdv_abc123...`. The server hashes the key, looks it up in its database, finds the associated user account, and applies that account's permissions to the request.
API key vs OAuth token
Both authenticate requests, but they're used differently. API key = the developer's app-level credential (typically long-lived, manually rotated). OAuth token = a user-specific credential issued temporarily after the user explicitly grants permission to the app. In most modern social media APIs you encounter both: the developer holds an API key for their app + per-user OAuth tokens for each user who connected their account.
For scheduling APIs that abstract over OAuth (CodivUpload, Buffer), the user only sees an API key. The OAuth tokens for connected social accounts are held server-side by the scheduling service and never exposed to the developer using the scheduling API.
How to handle API keys safely
Five rules. (1) Treat API keys as secrets — never commit to version control, never log in plaintext, never paste in screenshots. (2) Use environment variables in production — `process.env.CODIVUPLOAD_API_KEY` not hardcoded strings. (3) Use a secret manager for serious production (AWS Secrets Manager, GCP Secret Manager, Doppler, Infisical). (4) Rotate periodically — quarterly is reasonable; immediately if there's any leak suspicion. (5) Use scoped or short-lived keys when possible — limits blast radius if a key is compromised.
Authenticate a CodivUpload API request with an API key
bash
# Pass the API key in the Authorization header
# Format: "Bearer <key>"
curl -X POST https://api.codivupload.com/v1/posts \
-H "Authorization: Bearer cdv_abc123..." \
-H "Content-Type: application/json" \
-d '{
"profile_name": "main",
"platforms": ["instagram", "tiktok"],
"post_type": "reel",
"media_urls": ["https://cdn.example.com/video.mp4"],
"description": "Test post",
"tiktok_privacy_level": 0
}'
# In Node.js with environment variable:
const apiKey = process.env.CODIVUPLOAD_API_KEY; // never hardcode
fetch('https://api.codivupload.com/v1/posts', {
method: 'POST',
headers: {
'Authorization': `Bearer ${apiKey}`,
'Content-Type': 'application/json',
},
body: JSON.stringify({ /* ... */ })
});Common pitfalls
- ×Hardcoding API keys in source code — leaks happen via GitHub commits, screenshots, log files
- ×Exposing API keys in client-side code (React, JavaScript bundles) — anyone can extract them from browser DevTools
- ×Sharing the same API key across multiple environments (dev, staging, prod) — one leak compromises everything
- ×Skipping rotation — long-lived keys accumulate exposure over months/years
Tips
- ✓Use environment variables in production — never hardcode
- ✓Add API keys to .gitignore and never commit — use git-secrets or similar tooling to enforce
- ✓Issue separate keys per environment — prod, staging, dev each get their own key
- ✓Rotate quarterly — automate where possible to make rotation low-friction
Frequently asked questions
What do I do if I leak my API key?+
Three steps immediately. (1) Rotate the key from the service's dashboard — invalidates the leaked credential. (2) Audit recent activity for unauthorized usage. (3) Update your application to use the new key. Most leaked keys are detected by automated scanners (GitHub's secret scanning, third-party tools like git-secrets) within hours; speed of rotation matters.
Should I generate one API key or many?+
Many, scoped per use case. One key for production, one for staging, one for each environment. Some services support read-only keys vs read-write keys — use the most-restrictive scope sufficient for the use case. Single 'master key' patterns concentrate risk.
Can I use API keys in client-side code?+
Generally no — keys exposed in browser-side JavaScript can be extracted by anyone using DevTools. The right pattern is to keep API keys server-side and proxy requests through your own backend. CodivUpload's API is server-side only; never call it from a public web client.
How is an API key different from a password?+
Functionally similar (both authenticate the requester) but API keys are purpose-built for machine-to-machine usage. They're typically longer, more random, and lack human-readable elements. They're also tied to specific apps rather than user accounts directly, making rotation safer (rotating a password locks out the human user; rotating an API key just disconnects the app).
Get a CodivUpload API key — free plan included
Generate an API key from the CodivUpload dashboard, paste it into your scheduling code, and publish to 11 platforms in one call. Free plan supports the same key-based auth.
Try the API freeRelated glossary terms