Authentication & API keys

API keys

An API key (sk_live_…) is scoped to a single tenant. Pass it as a bearer token on every request:

Authorization: Bearer sk_live_…

Create and revoke keys from Settings → API keys in the dashboard. A key grants full access to its workspace, so:

• Never commit keys. Keep them in a secret manager or environment variable, never in source control.
• Rotate on exposure. Revoke a leaked key immediately and mint a new one — revocation takes effect at once.
• One key per integration. Use separate keys for your CI, your CLI, and each agent so you can revoke them independently.

CLI credentials

socializer login stores your key and API URL in ~/.socializer/config.toml. Override per-invocation with --api-key and --api-url, or via environment variables for ephemeral/agent contexts:

export SOCIALIZER_API_KEY="sk_live_…"
export SOCIALIZER_API_URL="https://socializer.co"

socializer status --json

OAuth2 for the web app

The dashboard authenticates users with OAuth2 (email or Google) and exchanges that for a session bound to the same tenant the API keys belong to. You never paste an API key into the browser — the dashboard talks to the API same-origin with its session.

How connected-account credentials are stored

The keys above authenticate you to Socializer. The credentials for your connected social accounts (OAuth tokens for X, LinkedIn, and the rest) are envelope-encrypted at rest — encrypted with per-tenant data keys, which are themselves encrypted by a root key. Unlike tools that store provider tokens in plaintext, a database read alone never yields a usable token. Disconnecting a profile purges its credentials.

Auth errors

A missing or invalid key returns 401 with the standard error envelope; a valid key acting outside its tenant returns 403:

{ "error": { "code": "unauthorized", "message": "Invalid API key" } }