API Reference

Authentication

API keys and Bearer tokens

The OpenPost API authenticates every request with an API key sent as a Bearer token. Keys are workspace-scoped— a key can only read and write the workspace it was created in. No user identity, no org-wide admin tokens.

Getting a key

1

Open Settings → API keys

Only workspace admins and owners can see this page.

2

Click Generate key

Pick a name (shown in the keys list so you can identify it later). We generate the key server-side with cryptographic randomness.

3

Copy the key — you won't see it again

We show the full key once at creation and store only a SHA-256 hash. If you lose it, delete the key and create a new one.

Key format

API key

op_live_<32 url-safe base64 chars>

Length

40 characters total including the op_live_ prefix

Storage

Only a SHA-256 hash is stored; the plaintext is shown once.

API keys publish to real social accounts. Never commit them to git. Use environment variables, a secrets manager, or your framework’s secret store.

Sending the key

http
Authorization: Bearer op_live_4kE...Zq
curl
curl https://api.openpost.so/v1/integrations \
  -H "Authorization: Bearer $OP_KEY"

Scopes

Per-resource scopes are not yet available — every API key currently has full read/write access to its workspace. Scoped keys are on the roadmap.

Rotating keys

To rotate, go to Settings → API keys, generate a new key, deploy it, then delete the old one. There is no automatic dual-key overlap period — deploy the new key first, then revoke.

Common auth errors

json
{ "error": "Invalid API key" }
  • 401 — missing Authorization header, non-Bearer token, unknown key, or deleted key
PreviousAPI overviewNext Rate limits
Last updated April 2026 Edit this page