Overview Key format Usage Security Rotating keys Auth errors Rate limits Pagination

Overview

All requests to the Dreabee API must be authenticated. We use API keys — long-lived tokens that are tied to your account and carry your plan's permissions and rate limits.

There are two types of keys:

Live keys (drea_live_...) — Use in production. These keys access real data and count against your monthly request quota.

Test keys (drea_test_...) — Use in development. Requests are sandboxed and return mock data. Test requests do not count toward your quota.

Never expose your live API key in client-side code, public repositories, or error messages. If compromised, rotate it immediately from your dashboard.

Key format

Dreabee API keys follow a consistent format that encodes the environment and type, making them easy to identify at a glance.

drea_live_sk_a7f3k9m2x8q1r5t0p4w6n
drea_
live_
sk_
a7f3k9m2x8q1r5t0p4w6n
Prefix — always drea_
Environment — live_ or test_
Type — sk_ (secret key)
Secret — 22-character random string
You can validate locally whether a string looks like a valid Dreabee key by checking it matches the pattern drea_(live|test)_sk_[a-z0-9]{22} — though this doesn't verify the key is active or authorised.

Usage

Pass your API key as a Bearer token in the Authorization HTTP header on every request.

HTTP Header
Authorization: Bearer drea_live_sk_your_key_here

Example requests

cURLget-creator.sh
curl https://api.dreabee.com/v2/creator/luxestyle \
  -H "Authorization: Bearer $DREABEE_API_KEY" \
  -G \
  -d "platform=instagram"
Pythonauth_example.py
import os
from dreabee import DreabeeClient

# Load key from environment — never hardcode
client = DreabeeClient(api_key=os.environ["DREABEE_API_KEY"])

# The client handles auth headers automatically
creator = client.creator.get("luxestyle", platform="instagram")
print(creator.authenticity_score) # 91.4
Node.jsauth_example.js
import { DreabeeClient } from '@dreabee/sdk'

// Load from env — process.env.DREABEE_API_KEY
const client = new DreabeeClient(process.env.DREABEE_API_KEY)

const creator = await client.creator.get({
  handle: 'luxestyle',
  platform: 'instagram'
})
console.log(creator.authenticity_score) // 91.4
All Dreabee SDKs handle auth headers automatically when initialised with an API key. You never need to set headers manually when using an official SDK.

Security best practices

Store keys in environment variables

Never hardcode API keys in source code. Store them in environment variables and load them at runtime.

Shell.env
# .env — add to .gitignore
DREABEE_API_KEY=drea_live_sk_your_key_here

# Use test key during development
DREABEE_TEST_KEY=drea_test_sk_your_test_key
Never commit API keys to git. Add .env to your .gitignore. If you accidentally expose a key in a public repo, rotate it immediately — treat it as compromised.

Use separate keys per environment

Generate distinct keys for development, staging, and production. This way you can revoke a single environment's access without affecting others.

Restrict key permissions

In your dashboard, you can scope keys to specific endpoints or IP addresses. Use the minimum permissions your integration actually needs.

Rotating API keys

You can generate a new API key at any time from Settings → API Keys in your dashboard. When you rotate a key:

1. Generate the new key in your dashboard — it's active immediately.
2. Update your application to use the new key.
3. Delete the old key once you've confirmed everything works.

You can have multiple active keys simultaneously, making zero-downtime rotation possible. Old keys remain valid until you explicitly revoke them.

Authentication errors

When authentication fails, the API returns a structured JSON error body alongside an HTTP error status.

Status Error code Cause Fix
401 MISSING_KEY No Authorization header sent Add Authorization: Bearer {key} header
401 INVALID_KEY Key doesn't exist or is malformed Verify key from your dashboard
401 REVOKED_KEY Key was deleted or revoked Generate a new key in Settings
403 PLAN_RESTRICTED Endpoint not available on your plan Upgrade your plan or use a different endpoint
429 RATE_LIMITED Request rate exceeded Back off and retry after Retry-After seconds
JSONerror response
{
  "error": {
    "code": "INVALID_KEY",
    "message": "The API key provided is invalid or has been revoked.",
    "status": 401,
    "docs": "https://docs.dreabee.com/api/authentication#errors"
  }
}

Rate limits

Rate limits are enforced per API key. Every response includes headers that tell you your current usage:

Response Headers
X-RateLimit-Limit: 60 # Requests per minute
X-RateLimit-Remaining: 47 # Remaining in current window
X-RateLimit-Reset: 1705929600 # Unix timestamp when window resets
X-Monthly-Limit: 50000 # Total monthly quota
X-Monthly-Remaining: 49953 # Monthly remaining
Free
20/min
Starter
60/min
Growth
300/min
Pro
1,000/min

When rate-limited, wait the number of seconds in the Retry-After header before retrying. Implement exponential backoff for resilience.