PostEverywhere
PostEverywhere Logo
Pricing
Features
Social Media Scheduling
Calendar View
AI Content Generator
AI Image Generator
Cross-Platform Publishing
Multi-Account Management
Integrations
Instagram
LinkedIn
TikTok
Facebook
X
YouTube
Threads
API Docs
Resources
Blog
Free Tools
AI Models
How‑To Guides
Comparisons
Support
Log inStart free trial
Pricing
Features
  • Social Media Scheduling
  • Calendar View
  • AI Content Generator
  • AI Image Generator
  • Cross-Platform Publishing
  • Multi-Account Management
Integrations
  • Instagram
  • LinkedIn
  • TikTok
  • Facebook
  • X
  • YouTube
  • Threads
API Docs
Resources
  • Blog
  • Free Tools
  • AI Models
  • How‑To Guides
  • Comparisons
  • Support
Log in
Overview

Getting Started

Quick StartAuthentication

API Reference

PostsAccountsMediaAI Generation

Guides

Rate Limits & ErrorsSDKs & Libraries
Get API Key

Base URL

app.posteverywhere.ai/api/v1
  1. Home
  2. /
  3. Developers
  4. /
  5. Authentication
Security

Authentication

The PostEverywhere API uses Bearer token authentication. Every request must include an API key in the Authorization header. Keys are scoped, revocable, and included on all plans.

How it works

Authentication is handled via the Authorization HTTP header with a Bearer token. Include this header in every API request to https://app.posteverywhere.ai/api/v1.

Authorization header format
Authorization: Bearer pe_live_a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4

API key format

All PostEverywhere API keys follow a consistent format that makes them easy to identify in your codebase and configure with secret scanning tools like GitHub's or GitGuardian.

Key structure

pe_live_a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4
pe_live_Fixed prefix identifying PostEverywhere production keys
32 hex charsUnique identifier (lowercase a-f, 0-9)

Regex pattern: Use pe_live_[a-f0-9]{32} to scan for accidentally committed keys in your CI/CD pipeline or pre-commit hooks.

Generating a key

API keys are created from the PostEverywhere dashboard. You can create up to 10 keys per organization, each with independent names and scopes.

1

Open Settings

Sign in to app.posteverywhere.ai and navigate to Settings > Developer.

2

Click "Create API Key"

Opens the key creation dialog.

3

Name your key

Give it a descriptive name like "Production Backend" or "Analytics Dashboard". This helps you identify keys later.

4

Select scopes

Choose Read (list/view resources), Write (create/edit/delete resources), or both. You can always create another key with different scopes.

5

Copy the key

Your key is displayed once. Copy it immediately and store it securely. You cannot retrieve it later.

Create API Key

Scopes

Each API key has one or more scopes that control what operations it can perform. Use the principle of least privilege — if a service only reads data, give it a Read-only key.

ScopePermissionsExample use case
ReadList and view accounts, posts, media, and resultsAnalytics dashboard, monitoring
WriteCreate, edit, delete, and retry posts; upload and delete mediaAutomation backend, CMS integration
AIGenerate AI imagesAI content pipeline, image generation

Scope access by endpoint

EndpointReadWriteAI
GET/accounts
GET/accounts/{id}
POST/posts
GET/posts
GET/posts/{id}
PATCH/posts/{id}
DELETE/posts/{id}
GET/posts/{id}/results
POST/posts/{id}/retry
POST/media/upload
GET/media
GET/media/{id}
DELETE/media/{id}
POST/ai/generate-image

Using your key

Pass your API key in the Authorization header as a Bearer token. Here are examples in the most popular languages.

cURL

cURL
curl https://app.posteverywhere.ai/api/v1/accounts \
  -H "Authorization: Bearer $POSTEVERYWHERE_API_KEY"

Python

Python — requests
import os
import requests

API_KEY = os.environ["POSTEVERYWHERE_API_KEY"]
BASE_URL = "https://app.posteverywhere.ai/api/v1"

response = requests.get(
    f"{BASE_URL}/accounts",
    headers={"Authorization": f"Bearer {API_KEY}"}
)

data = response.json()
for account in data["data"]:
    print(f"{account['platform']}: {account['name']} ({account['health']})")

Node.js

Node.js — fetch
const API_KEY = process.env.POSTEVERYWHERE_API_KEY;
const BASE_URL = "https://app.posteverywhere.ai/api/v1";

const response = await fetch(`${BASE_URL}/accounts`, {
  headers: {
    "Authorization": `Bearer ${API_KEY}`,
  },
});

const { data } = await response.json();
data.forEach((account) => {
  console.log(`${account.platform}: ${account.name} (${account.health})`);
});

The API works with any HTTP client in any language. See the SDKs & Libraries page for more language examples and our OpenAPI spec for auto-generating clients.

Security best practices

Your API key grants access to your PostEverywhere organization. Treat it like a password. Follow these practices to keep your integration secure.

Store keys in environment variables

Never hardcode API keys in your source code. Use environment variables (POSTEVERYWHERE_API_KEY), secret managers (AWS Secrets Manager, Vault), or encrypted config files.

Never commit keys to version control

Add your .env file to .gitignore. Enable GitHub secret scanning or GitGuardian to detect accidentally committed keys. Use the regex pe_live_[a-f0-9]{32} for custom rules.

Rotate keys periodically

Create a new key, update your applications, then revoke the old one. We recommend rotating every 90 days. Since you can have up to 10 keys, you can overlap old and new keys during migration.

Use the principle of least privilege

If a service only reads data (dashboards, analytics), give it a Read-only key. Reserve Write-scoped keys for services that actually create or modify posts. Only enable the AI scope if your integration needs AI image generation. This limits blast radius if a key is compromised.

Monitor key usage

Track rate limit headers (X-RateLimit-Remaining) in your responses to detect unusual activity. Unexpected spikes in API usage may indicate a compromised key.

.env file example
# .env — never commit this file
POSTEVERYWHERE_API_KEY=pe_live_a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4
.gitignore
.env
.env.local
.env.production

Revoking keys

You can revoke any API key instantly from the PostEverywhere dashboard. Revocation takes effect immediately — any in-flight or future requests using the revoked key will receive a 401 Unauthorized response.

  1. Go to Settings > Developer
  2. Find the key you want to revoke in the key list
  3. Click the Revoke button next to the key
  4. Confirm the revocation

Warning: Revoking a key is permanent and cannot be undone. Any application using the revoked key will immediately lose access. Make sure to update your applications with a new key before revoking the old one during key rotation.

Error responses

When authentication fails, the API returns a 401 Unauthorized response. The error follows the standard PostEverywhere error response format.

401 — Missing or invalid API key

401 Unauthorized
{
  "data": null,
  "error": {
    "code": "unauthorized",
    "message": "Invalid or missing API key. Include a valid key in the Authorization header.",
    "status": 401
  },
  "meta": {
    "request_id": "req_err123abc456",
    "timestamp": "2026-03-02T10:00:00Z"
  }
}

403 — Insufficient scopes

403 Forbidden
{
  "data": null,
  "error": {
    "code": "forbidden",
    "message": "This API key does not have the 'write' scope required for POST /posts. Create a new key with Write scope.",
    "status": 403
  },
  "meta": {
    "request_id": "req_err789def012",
    "timestamp": "2026-03-02T10:00:00Z"
  }
}

Common authentication issues

ErrorCauseFix
401No Authorization headerAdd -H "Authorization: Bearer pe_live_..."
401Typo in "Bearer" prefixEnsure the header value starts with exactly Bearer (capital B, one space)
401Key has been revokedGenerate a new key from Settings > Developer
403Missing required scopeCreate a new key with the appropriate scope (Read or Write)

Related pages

Quick Start Guide

Make your first API call in 5 minutes with step-by-step examples.

Rate Limits & Errors

Rate limit windows, error codes, and retry strategies.

Posts API

Create, schedule, update, and delete posts across 7 platforms.

Social Media Scheduler

Schedule and automate posts with the PostEverywhere dashboard.

Instagram Scheduler

Automate Instagram posts, Reels, Stories, and carousels.

Pricing

API access included on all plans from $19/mo.

Get your API key

API access is included on every PostEverywhere plan. Generate a key in seconds and start automating your social media scheduling.

Get API KeyQuick Start Guide

Frequently asked questions

What format do PostEverywhere API keys use?
All PostEverywhere API keys start with the prefix pe_live_ followed by 32 hexadecimal characters (e.g., pe_live_a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4). The pe_live_ prefix makes it easy to identify PostEverywhere keys in your codebase and set up secret scanning rules.
How many API keys can I create?
You can create up to 10 API keys per organization. Each key can have independent scopes (Read, Write, or both) and a descriptive name. This lets you use separate keys for different services — for example, a read-only key for analytics dashboards and a write-enabled key for your posting automation.
What happens if my API key is compromised?
Immediately revoke the key from Settings > Developer in the PostEverywhere dashboard. Revocation takes effect instantly — any requests using that key will receive a 401 Unauthorized response. Then generate a new key and update your application. We also recommend enabling GitHub secret scanning or similar tools to catch accidental commits.
Can I use the same API key for multiple applications?
While technically possible, we recommend creating separate API keys for each application or service. This follows the principle of least privilege and makes it easier to revoke access to a single application without affecting others. With up to 10 keys per organization, you have plenty of room for separation.
Do API keys expire automatically?
No, PostEverywhere API keys do not expire automatically. Keys remain valid until you manually revoke them from Settings > Developer. However, we recommend rotating keys periodically (e.g., every 90 days) as a security best practice. When you rotate, create a new key first, update your applications, then revoke the old key.

Footer

PostEverywhere

The all-in-one platform for social media management and growth. Built for marketing teams in the US, UK, Canada, Australia & Europe.

XLinkedInInstagram
ToolPilot

Product

  • Features
  • Integrations
  • Pricing
  • Developers
  • Resources

Features

  • Social Media Scheduling
  • Calendar View
  • AI Content Generator
  • AI Image Generator
  • Best Time to Post
  • Cross-Posting
  • Multi-Account Management
  • Workspaces
  • Campaign Management

Integrations

  • Instagram Integration
  • LinkedIn Integration
  • TikTok Integration
  • Facebook Integration
  • X Integration
  • YouTube Integration
  • Threads Integration

Resources

  • Resources Hub
  • How-To Guides
  • Blog
  • Comparisons
  • API Docs
  • Help

Free Tools

  • Post Previewer
  • Viral Score Predictor
  • Engagement Calculator
  • Content Repurposer
  • 30-Day Content Generator
  • Grid Previewer
  • Viral Hook Generator
  • Hashtag Generator
  • Character Counter
  • UTM Link Builder

Company

  • Contact
  • Privacy
  • Terms

© 2026 PostEverywhere. All rights reserved.