← Back to Help Center

API Access & Keys

Last updated: June 2026

The Anthyx REST API gives you programmatic access to your workspace data — create posts, read analytics, manage brands, and receive real-time events via webhooks. This guide covers generating API keys, authenticating requests, understanding rate limits, and setting up webhooks.

Generating an API key

  1. Go to Settings → Integrations → API keys.
  2. Click Generate new key.
  3. Give the key a descriptive name (e.g. “Zapier integration” or “Internal CMS sync”).
  4. Optionally restrict the key to specific IP addresses using the IP allowlist field.
  5. Click Create. The key is shown once — copy it immediately and store it securely. Anthyx does not store the raw key value.

You can generate up to 5 API keys on Starter, 20 on Growth, and unlimited on Agency. Delete unused keys under the same settings panel to reduce your attack surface.

Authenticating requests

Include your API key in the Authorization header of every request:

Authorization: Bearer anthyx_live_xxxxxxxxxxxxxxxx

All API requests must be made over HTTPS. HTTP requests are rejected with a 301 redirect. The base URL for the API is https://api.useanthyx.com/v1. Full endpoint documentation is available at docs.useanthyx.com/api.

Rate limits

API rate limits are enforced per API key:

  • Free / Starter — 60 requests per minute, 5,000 per day
  • Growth — 300 requests per minute, 50,000 per day
  • Agency — 1,000 requests per minute, unlimited per day

Rate limit status is returned in response headers: X-RateLimit-Limit,X-RateLimit-Remaining, and X-RateLimit-Reset (Unix timestamp). Exceeding the limit returns 429 Too Many Requests. Implement exponential backoff and respect the Retry-After header.

Webhook setup

Webhooks deliver real-time event notifications to your endpoint. Go to Settings → Integrations → Webhooks → Add endpoint and enter your destination URL. Select which events to subscribe to (see the full event list in the Integrations guide). Anthyx signs each request with an HMAC-SHA256 signature using your webhook secret:

X-Anthyx-Signature: sha256=<hex_digest>

Verify this signature in your endpoint handler before processing the payload. Unverified requests should be rejected with a 400 status.

Key rotation and revocation

Rotate API keys periodically or immediately if you suspect a key has been compromised. To revoke a key, click Delete next to it in Settings → Integrations → API keys. Revocation is immediate — any in-flight requests using the deleted key will receive a 401 response. Create a replacement key before revoking the old one to avoid downtime.

Related articles

Still stuck? Email support