Essel
Get early access

Authentication

Every consumer API request must carry a workspace API key. Keys are scoped to a single workspace, so a key minted in workspace A can never read content from workspace B.

Mint a key

  1. Sign in and switch to the workspace you want to expose.
  2. Open Workspace settings → API keys.
  3. Click New API key and give it a descriptive name (the integration that will use it — e.g. “marketing-site”, “mobile-android”).
  4. Copy the raw key. It is shown once at creation time. After you close the dialog, only a short prefix and a SHA-256 hash are stored.

If you lose a key, revoke it and mint a new one.

Sending the key

Pick whichever header works best for your HTTP client:

x-api-key header

curl https://api.contentpilot.uixlabs.co/api/consumer/blogs 
  -H "x-api-key: cp_live_..."

Authorization: Bearer

curl https://api.contentpilot.uixlabs.co/api/consumer/blogs 
  -H "Authorization: Bearer cp_live_..."

If both are present, x-api-key wins.

Key lifecycle

  • Active — usable. Each successful request bumps the lastUsedAt timestamp visible in the dashboard.
  • Revoked — disabled. Requests using a revoked key get 401 Unauthorized even if the raw value is still floating around.

Revocation is immediate. There is no grace period.

Rotating keys safely

To rotate without downtime:

  1. Mint a new key in the dashboard.
  2. Deploy the new key to your integration.
  3. Confirm traffic is hitting the new key (lastUsedAt updates in the dashboard).
  4. Revoke the old key.

Security notes

  • Treat keys like passwords. Never embed them in mobile apps, browser-side JavaScript, or public repositories. Proxy through a server you control.
  • A revoked key cannot be reactivated — mint a new one if you revoked by accident.
  • We never log raw keys. The dashboard only shows the leading prefix (cp_live_a1b2…) for identification.

Next: call your first endpoint — List released blogs.