SocialCrawl

Authentication

How to authenticate with the SocialCrawl API using the x-api-key header

Authentication

Every request to the SocialCrawl API requires an API key passed via the x-api-key header. There is no OAuth flow, no token exchange, and no session — the key is the entire credential.

Getting Your API Key

  1. Sign up at socialcrawl.dev — you get 100 welcome credits instantly
  2. Navigate to Dashboard → API Keys
  3. Click Create Key and give it a descriptive name (e.g. production, staging, local-dev)
  4. Copy the key from the one-time reveal dialog — this is the only time the full key is shown

Keys have the format sc_ followed by 32 random bytes (base64url-encoded), so every key is 46 characters long. Only the last 4 characters are displayed in the dashboard after creation.

Using Your Key

Include the x-api-key header with every request:

curl https://socialcrawl.dev/v1/tiktok/profile?handle=charlidamelio \
  -H "x-api-key: sc_your_api_key_here"
const response = await fetch(
  "https://socialcrawl.dev/v1/tiktok/profile?handle=charlidamelio",
  { headers: { "x-api-key": "sc_your_api_key_here" } },
);
import requests

response = requests.get(
    "https://socialcrawl.dev/v1/tiktok/profile",
    params={"handle": "charlidamelio"},
    headers={"x-api-key": "sc_your_api_key_here"},
)

Missing or malformed keys return 401 MISSING_API_KEY / 401 INVALID_API_KEY. See Error Handling for the full list.

Key Management

RuleValue
Active keys per accountUp to 5
StorageSHA-256 hash for auth lookup, AES-256-GCM encrypted for retrieval
RevocationSoft delete — revoked keys return 401 INVALID_API_KEY immediately
ExpiryOptional per-key expires_at (unset = never)
RotationCreate a new key, update clients, revoke the old one

Revoke compromised keys from Dashboard → API Keys as soon as possible — a revoked key is rejected on the very next request.

Security Recommendations

  • Never embed keys in client-side code. Every request using your key is billed to your account. Use a server proxy when calling from browsers or mobile apps.
  • Use separate keys per environment. Revoking a staging key shouldn't take down production.
  • Store keys in a secret manager (Vercel Encrypted Env, AWS Secrets Manager, 1Password, etc.) — not in git.
  • Set an expires_at on any key you issue to a contractor or short-lived job.

On this page

AuthenticationGetting Your API KeyUsing Your KeyKey ManagementSecurity RecommendationsRelated
Authentication | Socialcrawl