Setting Up Secure Authentication for Optimole API

This guide explains how to authenticate with the Optimole API to access various endpoints including cache invalidation features.

Authentication Method

Optimole API uses Bearer Token authentication with your account API key.

HTTP Headers

For all API requests, include the following header:

Authorization: Bearer YOUR_API_KEY

Where YOUR_API_KEY is the API key obtained from your Optimole dashboard.

Obtaining Your API Key

  1. Log in to your Optimole Dashboard
  2. Navigate to Settings > API
  3. Copy your API key or generate a new one if needed

Root API Keys vs. Sub API Keys

Optimole offers two types of API keys:

Root API Keys

  • Full access to all API endpoints
  • Can perform both read and write operations
  • Recommended for administrative tasks
  • Should be kept secure and not exposed in client-side code

Sub API Keys

  • Limited access to specific API endpoints
  • Primarily intended for read-only operations
  • Cannot access certain routes that modify data
  • Safer to use in client-side applications or shared environments

Note: If you're specifically working with cache invalidation endpoints, you should use a Root API key as these endpoints require write permissions.

Example Request

http GET https://dashboard.optimole.com/api/optml/v2/some-endpoint Authorization: Bearer opt_1a2b3c4d5e6f7g8h9i0j

Security Best Practices

  1. Never expose your Root API key in client-side code or public repositories
  2. Create Sub API keys with limited permissions for specific applications
  3. Rotate your API keys periodically
  4. Use environment variables to store API keys in your applications
  5. Implement IP whitelisting when possible for additional security

API Key Management

If you need to: 

  • Revoke an API key due to security concerns 
  • Generate a new API key Create 
  • Sub API keys 

Visit the API section in your Optimole Dashboard settings.

Troubleshooting Authentication Issues

If you receive aUnauthorized response, check: 

  1. Your API key is valid and active 
  2. You're using the correct authentication header format 
  3. You're using the appropriate API key type for the requested endpoint 
  4. Your account subscription is active
Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.