Authenticate every request by passing your API key in theDocumentation Index
Fetch the complete documentation index at: https://docs.politicalcomms.com/llms.txt
Use this file to discover all available pages before exploring further.
X-API-Key header. Keys are scoped to your organization hierarchy - you can only access your own data and the data of any descendant organizations.
Issuing and rotating keys
- From the dashboard, go to Admin → API Keys.
- Click New Key. Give it a descriptive name (e.g. “Production CRM sync”, “Staging analytics export”). The key is shown only once - copy it immediately and store it in a secret manager.
- To rotate, generate a new key, swap it into your deployed apps, verify traffic on the new key, then revoke the old one.
- To revoke compromised keys, click Revoke - the key stops working immediately.
Scoping
API keys are scoped to your organization’s hierarchy. A key issued at the parent organization can read data from all descendant organizations; a key issued at a sub-org can only read data within that sub-org and its descendants. Cross-tree access is never possible. Errors you’ll see if scoping blocks a request:| Code | Meaning |
|---|---|
INVALID_API_KEY | Key is missing, malformed, or has been revoked. |
ORG_ACCESS_DENIED | The organization_id you requested is not in your accessible hierarchy. |
PERMISSION_DENIED | Your key is valid but lacks the permission scope this endpoint requires. |
Per-key best practices
- Separate keys per environment. Production, staging, and local dev should have distinct keys.
- Separate keys per integration. Your CRM sync, your analytics export, and your internal admin tool should each have their own key. If one is compromised you can revoke it without breaking the others.
- Audit usage. The dashboard shows request counts and last-used timestamps per key. Investigate keys that haven’t been used in 30+ days - they’re often candidates for deletion.