Skip to main content

Overview

API Keys enable programmatic access to Brand DNA’s features. Automate brand analyses, integrate with your existing tools, and build custom workflows—all through our RESTful API.
Pro/Agency Tier Only — API access requires a Pro or Agency subscription. See API Reference for full documentation.

What You Can Do with the API

Run Analyses

Programmatically analyze brands and retrieve results

Chat with Helix

Send messages to Helix AI and receive responses

Manage Workspace

Create, update, and retrieve workspace tasks

Track Competitors

Monitor competitor changes and receive alerts (Pro/Agency)

Export Reports

Generate and download PDF reports programmatically

Team Management

Add/remove team members and manage permissions (Agency)

Creating API Keys

1

Navigate to API Keys

Settings → API Keys → Create New Key
2

Name Your Key

Descriptive name (e.g., “Production Server”, “Testing”, “CI/CD Pipeline”)
3

Set Permissions

Select scopes for this key:
  • Read analyses
  • Run analyses
  • Chat with Helix
  • Manage workspace
  • Export reports
  • Full access (all permissions)
4

Copy & Secure

Copy key immediately (shown only once) and store securely
Security Critical: API keys are shown only once. If you lose a key, you must delete it and create a new one. Store keys in a password manager or secrets vault.

API Key Permissions

Scope Definitions

ScopeCapabilitiesUse Cases
read:analysesRetrieve analysis results, history, and metadataDashboards, reporting tools
write:analysesRun new brand analysesAutomation, batch processing
read:chatRetrieve Helix chat historyAudit logs, conversation backups
write:chatSend messages to Helix AIChatbots, integrations
read:workspaceView tasks and workspace dataProject management tools
write:workspaceCreate, update, delete tasksTask automation
read:competitorsRetrieve competitor tracking dataAnalytics dashboards
write:competitorsAdd/remove tracked competitorsAutomated monitoring
read:exportsDownload PDF exportsReport delivery systems
write:exportsGenerate new exportsAutomated reporting
admin:teamManage team members (Agency only)Provisioning automation
admin:fullAll permissions (equivalent to Owner access)Internal tools, testing
Scopes: read:analyses, write:analyses, read:exportsUse Case: Public-facing application that runs analyses and displays resultsWhy Minimal: Reduces risk if key is compromised
Scopes: read:analyses, read:workspace, read:competitorsUse Case: Internal analytics dashboard showing team performanceWhy Read-Only: No accidental data modification
Scopes: write:analyses, write:workspace, write:exportsUse Case: Nightly batch analysis and report generationWhy Write: Needs to create resources, but not delete
Scopes: admin:fullUse Case: Automated testing in development environmentWhy Full: Needs to test all API endpoints

Managing API Keys

Current API Keys

Example API key roster:
NameScopesCreatedLast UsedStatusActions
Production Serverread:analyses, write:analysesJan 15, 20262 min agoActive ✅Revoke
Internal Dashboardread:*Dec 1, 20251 hour agoActive ✅Revoke
Testingadmin:fullJan 20, 20263 days agoActive ✅Revoke
Old CI Pipelineadmin:fullNov 10, 202545 days agoInactive ⚠️Revoke

Revoking API Keys

1

Find Key to Revoke

Settings → API Keys → Locate key
2

Click Revoke

Click Revoke next to key
3

Confirm Revocation

Confirm action (cannot be undone)
4

Access Denied

Key invalidated immediately; API requests return 401 Unauthorized
Security Hygiene: Revoke unused keys regularly. If “Last Used” is over 30 days ago, consider revoking.

Rotating API Keys

Best practice: Rotate keys every 90 days
1

Create New Key

Generate new key with same permissions as old key
2

Update Applications

Replace old key with new key in all applications/scripts
3

Test New Key

Verify all integrations work with new key
4

Revoke Old Key

After 24-48 hours, revoke old key to ensure smooth transition

Using API Keys

Authentication

All API requests require authentication via Bearer token: 
curl https://api.branddna.app/v1/analyze \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"url": "https://example.com"}'
Headers:
  • Authorization: Bearer YOUR_API_KEY (required)
  • Content-Type: application/json (for POST/PUT requests)

Example: Run Brand Analysis

const fetch = require('node-fetch');

const API_KEY = 'your_api_key_here';
const API_URL = 'https://api.branddna.app/v1/analyze';

async function analyzeBrand(url) {
  const response = await fetch(API_URL, {
    method: 'POST',
    headers: {
      'Authorization': `Bearer ${API_KEY}`,
      'Content-Type': 'application/json'
    },
    body: JSON.stringify({
      url: url,
      type: 'full' // or 'flash'
    })
  });

  if (!response.ok) {
    throw new Error(`API Error: ${response.statusText}`);
  }

  const data = await response.json();
  return data;
}

analyzeBrand('https://example.com')
  .then(result => console.log(result))
  .catch(error => console.error(error));
See API Reference for complete documentation.

Rate Limits

API rate limits by tier:
TierRequests/MinuteRequests/HourRequests/Day
Pro601,00010,000
Agency1205,00050,000
Headers Returned:
  • X-RateLimit-Limit: Total requests allowed per window
  • X-RateLimit-Remaining: Requests remaining in current window
  • X-RateLimit-Reset: Unix timestamp when limit resets
429 Too Many Requests: If you exceed rate limit, requests return 429 with: 
{
  "error": "Rate limit exceeded",
  "message": "You have exceeded 60 requests per minute",
  "retry_after": 45
}
Handling Rate Limits:
  • Implement exponential backoff
  • Cache responses when possible
  • Use webhooks for long-running operations instead of polling
Need Higher Limits? Contact enterprise@branddna.app for custom rate limits.

Security Best Practices

1. Store Keys Securely

Never commit API keys to version control (Git, SVN, etc.). Use environment variables or secrets managers.
Good: 
# .env file (add to .gitignore)
BRAND_DNA_API_KEY=sk_live_abc123...

# Load in application
require('dotenv').config();
const apiKey = process.env.BRAND_DNA_API_KEY;
Bad: 
// ❌ Hardcoded in source code
const apiKey = 'sk_live_abc123...';

2. Use Environment-Specific Keys

  • Development: Separate key for local development
  • Staging: Different key for staging environment
  • Production: Production-only key with minimal permissions
Benefits:
  • Revoke development key without affecting production
  • Track usage by environment
  • Limit blast radius if key is compromised

3. Rotate Keys Regularly

  • Every 90 days: Proactive rotation
  • Immediately: If key may have been exposed (e.g., accidentally committed)
  • After employee departure: Revoke keys former team members had access to

4. Use Minimal Permissions

Only grant scopes that are actually needed: Example: Dashboard that displays analysis results
  • ✅ Grant: read:analyses
  • ❌ Don’t grant: write:analyses, admin:full

5. Monitor Key Usage

Review “Last Used” column regularly:
  • Keys unused for 30+ days should be investigated
  • Unexpected usage patterns may indicate compromise
  • Set up alerts for API errors (401, 403, 429)

Webhooks (Alternative to Polling)

Instead of polling the API, use webhooks for event notifications: Example: Analysis Complete Webhook 
POST https://your-server.com/webhooks/brand-dna
{
  "event": "analysis.completed",
  "timestamp": "2026-01-27T14:23:45Z",
  "data": {
    "analysis_id": "anl_abc123",
    "url": "https://example.com",
    "status": "completed",
    "results_url": "https://api.branddna.app/v1/analyses/anl_abc123"
  }
}
See Webhooks for setup instructions.

API Key Quotas

API usage counts toward your plan quotas:

Pro Plan

ResourceQuotaAPI Access
AnalysesUnlimited✅ Create via API
Flash AuditsUnlimited✅ Create via API
Helix MessagesUnlimited✅ Send via API
ExportsUnlimited✅ Generate via API

Agency Plan

ResourceQuotaAPI Access
AnalysesUnlimited✅ Create via API
Flash AuditsUnlimited✅ Create via API
Helix MessagesUnlimited✅ Send via API
ExportsUnlimited✅ Generate via API
Team Management10 seats included✅ Manage via API
API requests count toward the same quotas as web interface usage.

Troubleshooting

401 Unauthorized

Cause: Invalid or missing API key Solutions:
  • Verify key is correct (no extra spaces)
  • Check key hasn’t been revoked
  • Ensure Authorization: Bearer header is present

403 Forbidden

Cause: Valid key, but insufficient permissions Solutions:
  • Check key scopes (Settings → API Keys)
  • Create new key with required permissions
  • Verify account tier supports requested feature

429 Rate Limit Exceeded

Cause: Too many requests in time window Solutions:
  • Implement exponential backoff
  • Reduce request frequency
  • Cache responses
  • Upgrade to Agency tier for higher limits

500 Internal Server Error

Cause: Server-side issue Solutions:
  • Retry request after 5-10 seconds
  • Check status page
  • Contact support if persistent
API questions? Email api@branddna.app or see API Documentation.