Authentication - Autoposting

Two auth methods are supported. Use Bearer Tokens for user-context operations; use API Keys for all automation, server-to-server, and long-running integrations.

Bearer Token
API Key
CLI Login

Issued on login. Carries full user-level permissions within the organization — suited for frontend apps and dashboard interactions.

curl -X POST https://app.autoposting.ai/api-proxy/auth/login \
  -H "Content-Type: application/json" \
  -d '{"email": "you@example.com", "password": "your-password"}'
# Response: { "data": { "token": "eyJhbGci..." } }

Session tokens expire. For long-running server processes, use API keys instead.

Org-scoped keys with declared permission scopes. Accepted via Authorization: Bearer or x-api-key header — recommended for all programmatic access.

# Create a key (requires active session token)
curl -X POST https://app.autoposting.ai/api-proxy/api-keys \
  -H "Authorization: Bearer <session-token>" \
  -H "Content-Type: application/json" \
  -d '{"name": "prod-automation", "scopes": ["posts:write", "posts:read", "brands:read"]}'

The full key value is returned only once at creation. Store it in a secrets manager — if lost, revoke and create a new one.

Use the key on every request:

# Authorization header (recommended)
curl https://app.autoposting.ai/api-proxy/posts -H "Authorization: Bearer sk-social-your-key"

# x-api-key header (alternative)
curl https://app.autoposting.ai/api-proxy/posts -H "x-api-key: sk-social-your-key"

SDK usage:

import { Autoposting } from '@autoposting.ai/sdk'
const client = new Autoposting({ apiKey: 'sk-social-...' })

The Autoposting CLI supports a device code login flow — no API key required for interactive use.

ap auth login
# Opens your browser to authorize the CLI.
# Once approved, the session token is stored locally.

CLI sessions use the same Bearer Token mechanism under the hood. For unattended scripts and CI/CD, use an API key instead.

Permission Scopes

Requests outside granted scopes return 403 Forbidden. Grant only what your integration needs.

Scope	Access
`posts:read`	List and retrieve posts, drafts, publish results
`posts:write`	Create, update, delete, publish, schedule, retry posts
`brands:read`	List brands and retrieve brand details
`brands:write`	Create, update, delete, and reorder brands
`clips:read`	List clip jobs, retrieve results and download URLs
`clips:write`	Upload videos, trigger scene detection and clip generation
`carousels:read`	List and retrieve carousel drafts
`carousels:write`	Create, generate, refine, and publish carousels
`kb:read`	Search and read knowledge base documents
`kb:write`	Upload, ingest, and delete knowledge base content
`agents:read`	List agents, view run history and outputs
`agents:write`	Create, update, toggle, and run agents
`webhooks:read`	List webhook endpoints
`webhooks:write`	Create, update, and delete webhook endpoints

Rate Limiting

Limits are enforced per API key and per user session. Exceeding the limit returns 429 Too Many Requests. Implement exponential backoff — start at 1 second, double on each retry, cap at 60 seconds.

Header	Description
`X-RateLimit-Limit`	Maximum requests allowed in the window
`X-RateLimit-Remaining`	Requests remaining in the current window
`X-RateLimit-Reset`	Unix timestamp when the window resets
`Retry-After`	Seconds to wait before retrying

Error Reference

Status	Meaning
`401 Unauthorized`	Missing, invalid, or expired token / API key
`402 Payment Required`	Insufficient credits for the requested operation
`403 Forbidden`	Valid credentials but insufficient scope
`429 Too Many Requests`	Rate limit exceeded

Best Practices

Use API keys for all automation

Never embed session tokens in scripts or CI/CD pipelines. Session tokens are user-bound and expire — API keys are designed for programmatic access and don’t expire unless revoked.

Scope to minimum permissions

A key that only needs posts:read should not have posts:write. Reducing scope limits blast radius if a key is compromised.

Store keys in a secrets manager

Use environment variables, AWS Secrets Manager, 1Password Secrets Automation, or Doppler. Never commit a key to source control — even in a private repo.

Rotate keys on a schedule

Revoke and recreate API keys periodically. Revoke immediately if a key is ever exposed — revocation is instant and permanent.

Quickstart

Create your first API key and publish a post in 5 minutes.

API Reference

Full endpoint reference with auth examples on every request.

API Keys endpoint

Create, list, update, and revoke keys programmatically.

MCP Server

Use Autoposting from Claude with automatic auth handling.

​Permission Scopes

​Rate Limiting

​Error Reference

​Best Practices

Quickstart

API Reference

API Keys endpoint

MCP Server

Permission Scopes

Rate Limiting

Error Reference

Best Practices