API Keys and Authentication
API Keys and Authentication
Every SDK call authenticates with an Export API key.
Generate a key
Go to Settings → Platforms → Connect SDK → Generate API Key. The key has the format rh_export_....
Regenerating
Regenerating produces a new key and invalidates the old one immediately. Any deployment still using the old key will start receiving 401 responses, so roll the value in your environment at the same time.
Account-scoped: spans all workspaces
The key is tied to your user account, not to the workspace you are currently viewing. A single key can read articles from every workspace you own.
By default listArticles() returns articles from all of your workspaces. To restrict results to one workspace, pass the workspaceId param (see the Filtering, Workspaces and Sync page).
Read-only, published by default
The key grants read access to published articles only. Drafts and scheduled posts are not returned unless you explicitly pass status: 'draft' or status: 'scheduled'.
How the key is sent
The SDK sends the key automatically as an HTTP header:
X-API-Key: rh_export_...The Export API also accepts the key as a query parameter (?apiKey=rh_export_...), which the low-level request() method can use, but the header is what the typed methods send.
CORS
The export endpoints respond with a wildcard CORS header (Access-Control-Allow-Origin: *), so browser calls work from any origin.
Security: prefer the server
In the browser, the API key is visible in network requests. Because it only grants read access to already-published content, exposing it is low risk, but the safest pattern is to keep it server-side:
- —Call
createClientin a Next.js Server Component or other server code, or - —Put a small proxy in front of the API and call that from the browser.
www baseUrl gotcha:
const rh = createClient({
apiKey: process.env.NEXT_PUBLIC_RANKHIKER_API_KEY!,
baseUrl: 'https://rankhiker.com',
});Was this article helpful?