Authentication

Secure your API requests using Bearer tokens.

API Keys

You can obtain your API key in the workspace integration screen inside Drock. Keys are team-scoped and can optionally be restricted to a subset of blogs.

http

Authorization: Bearer drock_XXXXXXXXXXXX

Security Warning

Never expose your API keys in public frontend applications.

Authenticated Request Example

bash

curl -X GET "https://api.getdrock.com/api/v1/blogs" \
  -H "Authorization: Bearer YOUR_API_KEY"

Key Scope

A valid key can read public blogs and public articles inside its permitted scope. If blog_access_scope is empty, the key can read all public blogs in the workspace.

Header Validation

Drock expects the exact Bearer format. Missing the prefix or sending an empty token returns 401 Unauthorized.

http

Authorization: Bearer YOUR_API_KEY
Authorization: YOUR_API_KEY  # invalid
Authorization: Bearer       # invalid

Public Browser Requests

Public /api/v1/* endpoints answer CORS preflights and allow the Authorization header, but production integrations must still use a backend proxy so API keys never reach the browser.