Skip to main content

How Do I Authenticate API Requests Safely?

Updated over a month ago

Authentication is how you prove your identity to the BrandMentions API.
Every request you send must include your unique API key, so the system knows which account it belongs to and can protect your data from unauthorized access.

How to authenticate BrandMentions API requests

The BrandMentions API uses a simple API key based authentication model.

After you receive your API key from the BrandMentions team, you authenticate each request by including the key as a query parameter in the request URL.

Basic authenticated request example

https://api.brandmentions.com/command.php?api_key=YOUR_API_KEY&command=GetRemainingCredits

In this example:

  • https://api.brandmentions.com/command.php
    is the base URL of the BrandMentions API.

  • api_key=YOUR_API_KEY
    is the query parameter that contains your API key.
    Replace YOUR_API_KEY with the real key that was provided to you.

  • command=GetRemainingCredits
    is the specific API command you are calling.

You will use the same pattern for other commands, always making sure that:

  • api_key is present in the query string

  • The value is your actual API key, kept secret and never shared publicly

Example with curl

Here is a simple example using curl from the command line:

curl "https://api.brandmentions.com/command.php?api_key=YOUR_API_KEY&command=GetRemainingCredits"

You can adapt this pattern in any programming language or HTTP client library as long as:

  • The request hits the correct URL

  • Your api_key parameter is included

  • The command and other parameters are valid for the BrandMentions API

Best practices for safe authentication

Using the correct query parameter is only the first step. The real security comes from how you store, use, and protect your API key.

Below are the most important best practices to follow.

1. Keep your API key secret

Treat your API key like a password.

  • Do not share it in chat, screenshots, or documentation that others can see.

  • Do not paste it into support forums or public tickets.

  • Only give it to people and systems that absolutely need access.

If someone gets your key, they can use the BrandMentions API as if they were you.

2. Use environment variables to store your API key

Never hard code your API key directly into your application code.

Instead:

  • Store the key in an environment variable (for example BRANDMENTIONS_API_KEY).

  • Read the variable from your code at runtime.

Example in pseudocode:

import os import requests  API_KEY = os.getenv("BRANDMENTIONS_API_KEY") url = f"https://api.brandmentions.com/command.php?api_key={API_KEY}&command=GetRemainingCredits"  response = requests.get(url)

3. Do not commit your API key to version control

If you use Git or another version control system:

  • Never commit files that contain your API key.

  • Add configuration files with secrets to .gitignore or the equivalent ignore mechanism.

If a key is committed to a public repository, assume it is compromised.

4. Use a server-side proxy for client-side applications

If you are building a client-side application (for example a JavaScript app running in the browser), you should never call the BrandMentions API directly from the browser with your API key in the URL.
​

Doing so would:

  • Expose your API key to anyone who opens the browser developer tools

  • Allow others to copy and reuse your key

Instead, use a server-side proxy:

  1. Your client-side app sends a request to your own backend server.

  2. Your backend server adds the api_key and calls the BrandMentions API.

  3. Your backend returns only the processed or filtered data to the client.

This pattern keeps the API key on the server only, where it is much easier to protect.

5. Regenerate your API key if it is compromised

If you suspect that your API key has been exposed or misused:

  1. Stop using the compromised key in your applications.

  2. Contact BrandMentions support immediately and explain the situation.

  3. Ask them to revoke the old key and generate a new one.

  4. Update your environment variables and deployment configs with the new key.

Once the old key is revoked, any requests using it will no longer work, which prevents further unauthorized access.

By following these practices, you ensure that your API integrations are secure, reliable, and compliant with strong data protection standards.

Did this answer your question?