API Reference

Authentication

Blogree uses two authentication methods: JWT tokens for the Management API (dashboard operations), and API Keys for the public Pull API (fetching published posts from your site).

JWT Token

For Management API — creating posts, managing sites, analytics. Token expires in 7 days.

API Key

For Pull API — fetching published posts from connected sites. Long-lived, rotatable.

JWT Authentication (Management API)

Register an account or log in to receive a JWT. Include it in the Authorization header of every management API request.

Register

POST /api/auth/register
Content-Type: application/json

{
  "name": "Yasir Khan",
  "email": "yasir@example.com",
  "password": "your_secure_password"
}

// Response
{
  "user": { "id": "user_abc", "name": "Yasir Khan", "email": "yasir@example.com" },
  "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  "expires_at": "2026-04-09T14:30:00Z"
}

Login

POST /api/auth/login
Content-Type: application/json

{ "email": "yasir@example.com", "password": "your_secure_password" }

// Response (same structure as register)

Using the JWT Token

// Include in all Management API requests:
GET /api/posts
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...

💡

JWT tokens expire after 7 days. Your client should handle 401 Unauthorized responses by redirecting to the login flow.

API Key Authentication (Pull API)

Your site's API key is generated when you connect a site to Blogree. Find it in Sites → your site → Settings → API Key. Use it to fetch published posts from your frontend code.

// Fetch all published posts (public Pull API):
GET /api/pull/posts
X-API-Key: bk_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxx

// Response
{
  "posts": [
    {
      "id": "post_xyz789",
      "slug": "my-blog-post",
      "title": "My Blog Post Title",
      "excerpt": "Short summary...",
      "published_at": "2026-04-02T09:00:00Z",
      "tags": ["AI", "blogging"]
    }
  ],
  "total": 42
}

// Fetch single post by slug:
GET /api/pull/posts/my-blog-post
X-API-Key: bk_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxx

⚠️

API Keys are site-specific. A key from Site A cannot access posts for Site B. Never expose your API key in client-side JavaScript for public sites — use it in server-side rendering only.

Rotating API Keys

POST /api/sites/:id/rotate-keys
Authorization: Bearer <jwt_token>

// Response
{
  "site_id": "site_abc123",
  "new_api_key": "bk_live_newkeyhere...",
  "new_webhook_secret": "whs_newSecretHere...",
  "rotated_at": "2026-04-02T14:30:00Z"
}

// ⚠️ Update your environment variables immediately after rotating!

Rate Limits

Endpoint Group	Rate Limit	Window
Auth endpoints	5 requests	per minute
Management API (Starter)	100 requests	per hour
Management API (Pro)	1,000 requests	per hour
Management API (Agency)	10,000 requests	per hour
Pull API	500 requests	per hour per site

When rate limited, you receive a 429 Too Many Requests response with a Retry-After header indicating seconds to wait.