API Key Best Practices

Follow these best practices to keep your SiteX API integration secure and reliable.

Security

• One key per agent - Create separate API keys for each application or AI agent. This makes it easy to revoke access for a single agent without affecting others.
• Minimum permissions - Only grant the permissions each agent actually needs. A content writer agent doesn't need delete permissions.
• IP whitelisting - If your agent runs from a fixed IP (dedicated server, VPS), enable IP whitelisting.
• Never hardcode keys - Store API keys in environment variables or a secure secrets manager, never in source code.
• Rotate regularly - Regenerate API keys periodically (recommended: every 90 days).
• Monitor usage - Review API usage stats in the admin panel. Unexpected spikes may indicate a compromised key.

Reliability

• Handle errors gracefully - Always check response status codes. Implement retry logic with exponential backoff for 429 and 5xx errors.
• Respect rate limits - Monitor X-RateLimit-Remaining headers and slow down before hitting the limit.
• Validate before sending - Check required fields and content length before making API calls to reduce 422 errors.
• Use test keys for development - Test keys (sx_test_) let you develop and test without affecting published content.
• Log everything - Log API requests and responses for debugging. Include timestamps, request IDs, and response codes.

Content Quality

• Set content as draft first - Have agents create content as drafts, then review and publish manually until you trust the output quality.
• Include SEO fields - Always provide meta_title and meta_description for better search engine results.
• Use proper HTML - Send well-formatted HTML in the content field. SiteX does not auto-format plain text.
• Check for duplicates - Use meaningful slugs and check for 409 Conflict responses to avoid duplicate content.

Checklist