Authentication
Learn how to authenticate with the Forest SEO API using API keys, manage credentials, and secure your integration.
Forest SEO API uses API Key authentication to secure all API requests. This guide explains how to create, manage, and use API keys for programmatic access.
🔑 Authentication Method
All API requests must include an API key in the Authorization header using the following format:
Authorization: API-Key YOUR_API_KEY_HERESecurity Notice
Never expose your API keys in client-side code, public repositories, or logs. Treat API keys like passwords — store them securely as environment variables or in secure credential storage.
📋 API Key Overview
What Are API Keys?
API keys are 64-character tokens that authenticate your application or integration with Forest SEO's backend services. Each API key:
- Associates with a user account — operates with that user's permissions
- Can be disabled — temporarily revoke access without deletion
- Has a specific purpose — track usage by integration type
- Is auto-generated — cryptographically secure random strings
Key Properties
| Property | Description | Example |
|---|---|---|
| Name | Descriptive label for the key | "WordPress Blog Integration" |
| Key | 64-character authentication token | "Abc123...xyz789" (auto-generated) |
| User | Associated user account | User with project access |
| Purpose | Integration type | External Integration, CMS, Automated Publishing |
| Status | Active/Inactive | isActive: true |
| Description | Optional usage notes | "Production webhook for article publishing" |
🚀 Creating an API Key
Navigate to API Keys Management
Access API keys through your Forest SEO dashboard:
- Log in to /dash
- Select your project from the sidebar
- Go to Settings → API Keys
Create New API Key
Click "Create API Key" and fill in the details:
Required Fields
Name: Descriptive identifier for the key
Example: "Production CMS Integration"User: Select the user account this key will authenticate as
- The key inherits all permissions from this user
- Choose a user with appropriate project access
Optional Fields
Purpose: Select the primary use case
- External Integration — Third-party tools and services
- Third-Party CMS — Content management systems (WordPress, Ghost, etc.)
- Automated Publishing — Scheduled content deployment
- Other — Custom integrations
Description: Add notes about usage
Example: "Used by WordPress plugin to auto-publish generated articles to https://myblog.com"Copy and Secure Your API Key
Critical: Save Your API Key
You can only view the API key once during creation. After closing the dialog, the full key cannot be retrieved again. Store it immediately in a secure location.
When you click "Create", the system:
- Generates a random 64-character key
- Displays it in a copy-friendly dialog
- Stores a hashed version in the database
Best Practices for Storage:
- ✅ Save in environment variables (
.envfile, not committed to git) - ✅ Use secret management tools (AWS Secrets Manager, HashiCorp Vault, 1Password)
- ✅ Store in CI/CD platform secrets (GitHub Actions, GitLab CI)
- ❌ Don't hardcode in source code
- ❌ Don't commit to version control
- ❌ Don't share via email or chat
🔧 Using API Keys
HTTP Request Headers
Include your API key in every request to the Forest SEO API:
curl -X GET "https://api.forestseo.com/v1/projects" \
-H "Authorization: API-Key YOUR_API_KEY_HERE" \
-H "Content-Type: application/json"Example: List Projects
curl -X GET "https://api.forestseo.com/v1/projects" \
-H "Authorization: API-Key Abc123...xyz789"Response:
{
"items": [
{
"id": "proj_abc123",
"name": "My Blog",
"created_at": "2024-01-15T10:00:00Z"
}
],
"total": 1
}Project Context Header
Most API endpoints require a project context. Include the X-Project-ID header:
curl -X GET "https://api.forestseo.com/v1/contents" \
-H "Authorization: API-Key YOUR_API_KEY_HERE" \
-H "X-Project-ID: proj_abc123" \
-H "Content-Type: application/json"The API key authenticates who you are, while X-Project-ID specifies which project you're working with.
🛡️ Security Best Practices
Environment Variables
Store API keys in environment variables:
Development (.env.local):
FORESTSEO_API_KEY=YOUR_API_KEY_HERE
FORESTSEO_PROJECT_ID=proj_abc123Usage in code:
const apiKey = process.env.FORESTSEO_API_KEY;
const projectId = process.env.FORESTSEO_PROJECT_ID;
fetch('https://api.forestseo.com/v1/contents', {
headers: {
'Authorization': `API-Key ${apiKey}`,
'X-Project-ID': projectId,
'Content-Type': 'application/json',
},
});Key Rotation
Regularly rotate API keys to maintain security:
- Create a new API key with the same purpose
- Update your integrations with the new key
- Test thoroughly to ensure all systems work
- Disable the old key (don't delete yet)
- Monitor for 24-48 hours for any failed requests
- Delete the old key once confirmed unused
Access Control
- Use separate keys for different environments (dev, staging, production)
- Assign minimal permissions — create keys for users with least privilege needed
- Document key usage — maintain an inventory of where each key is used
- Audit regularly — review active keys and disable unused ones
🔄 Managing API Keys
Viewing API Keys
List all API keys in your account:
Key information displayed:
- Name and description
- Associated user
- Purpose category
- Creation date
- Last used timestamp
- Active/inactive status
Security Note: For security reasons, only the last 8 characters of each key are displayed. The full key is never shown after initial creation.
Disabling API Keys
Temporarily revoke access without deleting the key:
- Navigate to Settings → API Keys
- Find the key in the list
- Click the toggle switch or "Disable" button
- Confirm the action
When disabled:
- ✅ Key information is preserved
- ✅ Can be re-enabled anytime
- ❌ All requests using this key will fail with
401 Unauthorized
Use cases:
- Investigating suspicious activity
- Temporarily pausing an integration
- Testing without permanent deletion
Deleting API Keys
Permanently remove an API key:
Permanent Action
Deletion is irreversible. Any integrations using this key will immediately stop working. Create a replacement key first if needed.
- Navigate to Settings → API Keys
- Find the key in the list
- Click "Delete" (or trash icon)
- Confirm deletion by typing the key name
🚨 Troubleshooting
Common Errors
401 Unauthorized
Causes:
- Missing
Authorizationheader - Incorrect API key format
- Invalid or disabled API key
- Expired or deleted key
Solution:
# ❌ Wrong format
Authorization: Bearer YOUR_API_KEY
# ❌ Wrong format
Authorization: YOUR_API_KEY
# ✅ Correct format
Authorization: API-Key YOUR_API_KEY403 Forbidden
Causes:
- API key user lacks permissions for the requested resource
- Project access not granted to the key's user
- Operation not allowed for API key authentication
Solution:
- Verify the user associated with the API key has access to the project
- Check user role permissions
- Some sensitive operations may require interactive login
400 Bad Request (Missing Project Context)
Error message:
{
"detail": "Project ID required. Include X-Project-ID header."
}Solution:
# Add X-Project-ID header to your request
curl -X GET "https://api.forestseo.com/v1/contents" \
-H "Authorization: API-Key YOUR_API_KEY" \
-H "X-Project-ID: proj_abc123"Rate Limiting
API keys are subject to rate limits:
| Tier | Requests per Minute | Daily Limit |
|---|---|---|
| Free | 60 | 1,000 |
| Starter | 120 | 5,000 |
| Professional | 300 | 20,000 |
| Enterprise | Custom | Custom |
Rate limit headers in response:
X-RateLimit-Limit: 120
X-RateLimit-Remaining: 115
X-RateLimit-Reset: 1640000000When rate limited, you'll receive:
{
"error": "rate_limit_exceeded",
"message": "Too many requests. Please try again in 60 seconds.",
"retry_after": 60
}💡 Integration Examples
Node.js
import axios from 'axios';
const client = axios.create({
baseURL: 'https://api.forestseo.com/v1',
headers: {
'Authorization': `API-Key ${process.env.FORESTSEO_API_KEY}`,
'X-Project-ID': process.env.FORESTSEO_PROJECT_ID,
'Content-Type': 'application/json',
},
});
// List contents
const response = await client.get('/contents');
console.log(response.data);Python
import os
import requests
API_KEY = os.getenv('FORESTSEO_API_KEY')
PROJECT_ID = os.getenv('FORESTSEO_PROJECT_ID')
headers = {
'Authorization': f'API-Key {API_KEY}',
'X-Project-ID': PROJECT_ID,
'Content-Type': 'application/json',
}
response = requests.get(
'https://api.forestseo.com/v1/contents',
headers=headers
)
print(response.json())PHP
<?php
$apiKey = getenv('FORESTSEO_API_KEY');
$projectId = getenv('FORESTSEO_PROJECT_ID');
$ch = curl_init('https://api.forestseo.com/v1/contents');
curl_setopt_array($ch, [
CURLOPT_RETURNTRANSFER => true,
CURLOPT_HTTPHEADER => [
"Authorization: API-Key {$apiKey}",
"X-Project-ID: {$projectId}",
"Content-Type: application/json",
],
]);
$response = curl_exec($ch);
$data = json_decode($response, true);
print_r($data);
curl_close($ch);cURL (Bash Script)
#!/bin/bash
API_KEY="${FORESTSEO_API_KEY}"
PROJECT_ID="${FORESTSEO_PROJECT_ID}"
curl -X GET "https://api.forestseo.com/v1/contents" \
-H "Authorization: API-Key ${API_KEY}" \
-H "X-Project-ID: ${PROJECT_ID}" \
-H "Content-Type: application/json"📖 Next Steps
Explore all available API endpoints and operations
Learn how to integrate Forest SEO with your platform
Set up webhooks for real-time content delivery
🆘 Need Help?
Having trouble with API authentication? Our support team is here to help:
- 💬 Live Chat: Available in dashboard
- 📧 Email: [email protected]
- 📚 Documentation: /docs