Skip to main content

API Keys

API keys are the simplest way to authenticate with the SchedPilot API. Each key is tied to your SchedPilot user account and grants full access to all API endpoints on behalf of that user.

Creating an API key

  1. Log in to app.schedpilot.com.
  2. Navigate to app.schedpilot.com/api-access.
  3. Click Create Key and give the key a descriptive label (e.g. my-automation-script or ai-agent-prod).
  4. Copy the key value displayed on screen — it starts with smm_ followed by a string of hexadecimal characters.

The full key value is shown only once. If you lose it, you will need to revoke it and create a new one.

Key format

All SchedPilot API keys follow this pattern:

smm_<hex_string>

Example: smm_4a9f3c1e8b205d7a6e0f2c49b8d3a15f

Authenticating requests

Pass your API key in the X-API-KEY HTTP request header on every call:

curl https://api.schedpilot.com/developers/v1/accounts \
  -H "X-API-KEY: smm_4a9f3c1e8b205d7a6e0f2c49b8d3a15f"

The header name is case-insensitive, but X-API-KEY is the canonical form used throughout this documentation.

Revoking an API key

If a key is compromised or no longer needed, you can revoke it at any time:

  1. Go to app.schedpilot.com/api-access.
  2. Find the key in the list and click Revoke.
  3. The key becomes invalid immediately — any requests using it will receive a 401 Unauthorized response.

Revoking a key does not affect your account, connected social profiles, or scheduled posts.

Security best practices

  • Treat your API key like a password. Anyone who obtains the key can make API calls on behalf of your account.
  • Never commit keys to source control. Store them in environment variables or a secrets manager (e.g. .env files excluded via .gitignore, AWS Secrets Manager, HashiCorp Vault).
  • Use separate keys per application. This makes it easy to revoke a single integration without disrupting others.
  • Rotate keys periodically. Create a replacement key, update your application, then revoke the old one.

Rate limits

Authenticated API calls are subject to the following rate limits per user:

Request typeLimit
Read requests (GET)60 per hour
Write requests (POST, DELETE)30 per hour

Limits are enforced per user account, not per key. If you have multiple keys for the same account, they share the same quota. When a limit is exceeded the API returns 429 Too Many Requests.