Authentication

Overview

All FeedHorizon API requests must include a valid API key in the Authorization header using the Bearer scheme.

Authorization: Bearer fh_YOUR_API_KEY

API key format

Keys follow this format:

Total length: 67 characters (e.g. fh_aee6d4242ae1d2ff857b4a900904f9e5beac1f2168a6c83da9f63053fda8caf8)

Keys are hashed with SHA-256 before storage. The plaintext key is only shown once at creation.

Permission levels

Each key has one of two permission levels:

Profile scope

Keys can be scoped to specific profiles:

• Full access — Can access all profiles (including future ones)
• Specific profiles — Only access posts and accounts belonging to the selected profiles

Key management

Create a key

curl -X POST https://app.feedhorizon.dev/api/v1/api-keys \
  -H "Authorization: Bearer fh_YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{ "name": "CI/CD Pipeline", "permission": "readwrite" }'

The response includes the full key field — store it immediately, it won't be shown again.

List keys

curl https://app.feedhorizon.dev/api/v1/api-keys \
  -H "Authorization: Bearer fh_YOUR_API_KEY"

Returns key metadata with keyPrefix only (e.g. fh_abc12345).

Delete a key

curl -X DELETE https://app.feedhorizon.dev/api/v1/api-keys/KEY_ID \
  -H "Authorization: Bearer fh_YOUR_API_KEY"

Deletion is immediate and irreversible.

Expiring keys

Set expiresAt when creating a key to automatically expire it:

{
    "name": "Temp key",
    "expiresAt": "2026-12-31T23:59:59Z"
}

Expired keys return 401 Unauthorized with message API key has expired.

Security best practices

1. Never commit keys to source control — Use environment variables
2. Use read-only keys when you only need to fetch data
3. Scope keys to specific profiles to limit blast radius
4. Set expiry dates for temporary integrations
5. Rotate keys regularly — Delete old keys and create new ones
6. Monitor lastUsedAt in the dashboard to detect unused keys