Developer API

Offer controlled API access to customer websites from one dashboard

Issue keys, enforce scopes, monitor usage, and connect billing to API access while keeping governance inside your AutoPubliq workspace.

Start API Access Talk to Sales
Model 01 Plan-Aware Access

API access follows tenant subscription status and package permissions.

Model 02 Key Governance

Create, rotate, revoke, and scope keys with optional origin and IP policies.

Model 03 Usage + Billing

Track usage by key and tenant with data that supports billing operations.

Model 04 Security First

Hashed keys, scope checks, and rate controls are enforced in request flow.

API Packaging Framework

Use clear package tiers so customer websites can adopt API access without custom contract logic each time.

Tier Best For Billing Cycles Keys Core Access Model
Starter API Single product site integration Monthly / Annual 2 `read` + `write` scopes with usage visibility
Growth API Multi-site or agency rollout Monthly / Annual 10 Environment-specific keys + webhook scope
Enterprise API High-volume platform partners Annual preferred Custom Custom limits, policy controls, and enterprise governance

Recommended key policy: one key per environment (`dev`, `staging`, `prod`) and separate keys per customer site when strict isolation is needed.

API Key Lifecycle

All lifecycle actions are managed from your AutoPubliq website dashboard and backend APIs.

Lifecycle Actions

  • Create key
  • List keys
  • Rotate key
  • Revoke key
  • Assign scopes (`read`, `write`, `webhook`)
  • Set expiration and status

Storage + Display Rules

  • Store only hashed keys in database
  • Show plaintext key once at creation time
  • Never expose full key again in UI or logs
  • Audit all lifecycle actions with actor and timestamp
  • Support emergency revoke with immediate effect

Gateway Enforcement Rules

Each request should be validated for tenant access, key status, scope, and policy constraints.

Access Validation

  • Validate key hash and tenant ownership
  • Reject expired, revoked, or suspended keys
  • Require scope match per endpoint
  • Apply optional domain/IP allowlist checks

Rate Limiting

  • Per-key request per minute limits
  • Per-tenant request controls
  • Throttle and reject behavior on limit breach
  • Usage logs for billing and review workflows

Error Responses

  • `401 invalid_api_key`
  • `403 insufficient_scope`
  • `403 key_revoked`
  • `429 rate_limited`
  • `403 origin_not_allowed` / `403 ip_not_allowed`

Integration Quick Start

Use server-to-server calls from your backend. Never expose secret API keys in frontend code.

Base Setup

  1. Buy or upgrade to an API-enabled plan.
  2. Create a key from Dashboard > Developer API Keys.
  3. Set scopes, environment, and optional expiry/allowlists.
  4. Save the key in secure server environment variables.
  5. Call `/api/v1/content/generate` and `/api/v1/account/usage` from backend services.

Required Headers

  • `Authorization: Bearer YOUR_API_KEY`
  • `Content-Type: application/json`
  • `X-Request-Id: unique-id` (recommended for tracing)
  • `Origin` (required if origin allowlist is configured)

Code Examples

Starter integration snippets for custom websites and backend services.

cURL Request

curl -X POST "https://your-domain.com/api/v1/content/generate" \
  -H "Authorization: Bearer aw_live_xxxxxxxxx" \
  -H "Content-Type: application/json" \
  -d '{
    "source_url": "https://example.com/article",
    "language": "Hindi",
    "mode": "translate",
    "publish": true,
    "site_id": 12,
    "status": "draft"
  }'

JavaScript Fetch

const response = await fetch("https://your-domain.com/api/v1/content/generate", {
  method: "POST",
  headers: {
    "Authorization": `Bearer ${process.env.AUTOPUBLIQ_API_KEY}`,
    "Content-Type": "application/json"
  },
  body: JSON.stringify({
    source_url: "https://example.com/article",
    language: "English",
    mode: "native",
    publish: false
  })
});

const data = await response.json();
if (!response.ok) throw new Error(data.error || "API request failed");

Node.js with Axios

const axios = require("axios");

async function generateArticle(payload) {
  const client = axios.create({
    baseURL: "https://your-domain.com/api/v1",
    timeout: 15000,
    headers: {
      Authorization: `Bearer ${process.env.AUTOPUBLIQ_API_KEY}`,
      "Content-Type": "application/json"
    }
  });

  const { data } = await client.post("/content/generate", payload);
  return data;
}

Webhook Signature Verify (Node)

const crypto = require("crypto");

function verifyWebhookSignature(rawBody, signature, secret) {
  const expected = crypto
    .createHmac("sha256", secret)
    .update(rawBody)
    .digest("hex");
  return crypto.timingSafeEqual(Buffer.from(signature), Buffer.from(expected));
}

Operations, Billing, and Rollout

How is usage metering handled?

Each request is logged with tenant, key, endpoint, status, and timestamp. Usage counters are aggregated for dashboard charts, quota tracking, and invoice calculations.

Which API endpoints are available now?

Current developer routes include `/api/v1/content/generate` for content generation and `/api/v1/account/usage` for usage visibility, guarded by scope checks.

Can keys be rotated or revoked without downtime?

Yes. You can rotate or revoke keys from the dashboard. New key material is shown once, and revoked keys are denied immediately.

How does subscription status affect API access?

Developer API access is tied to active subscription state and package policy. Access can be restricted when subscription conditions change.

Can API access be restricted by origin or IP?

Yes. Optional origin and IP allowlists can be configured per key for stricter production controls.

Ready to offer API access to your customers?

Launch API subscriptions, issue keys, and manage the full lifecycle from your AutoPubliq control center.

Start Free Trial