Documentation

Authentication

AgentSEO authenticates with API keys. REST requests use x-api-key. Hosted MCP accepts either Authorization: Bearer or x-api-key.

There is one live key format today: sk_live_.... The app does not document a separate public or test-key format for external use.

Manage API Keys

REST API

All normal API routes under /api/v1 use the x-api-key header.

curl -X POST https://www.agentseo.dev/api/v1/search \
  -H "x-api-key: sk_live_your_key_here" \
  -H "Content-Type: application/json" \
  -d '{"query":"agentseo docs"}'

Hosted MCP

Hosted MCP accepts a live API key via Authorization: Bearer or x-api-key. Bearer auth is the recommended public docs path because most MCP clients expect it.

claude mcp add --transport http agentseo https://www.agentseo.dev/mcp \
  --header "Authorization: Bearer sk_live_your_key_here" \
  --header "x-project-id: client-alpha" \
  --header "x-workflow-id: nightly-refresh"

Headers

HeaderWherePurpose
x-api-keyREST, hosted MCPMain API key header for normal API requests.
Authorization: BearerHosted MCPRecommended auth format for remote MCP clients.
x-project-idOptionalProject attribution carried into usage logs and async jobs.
x-workflow-idOptionalWorkflow or run attribution for agent and automation traces.

API Key Format

  • sk_live_...

    Live Key

    Required for production API and hosted MCP requests. Requests consume credits and are subject to plan-based rate limits.

Allowed Domains and Browser Use

If an API key has an allowed-domain list, AgentSEO requires the request to arrive with an Origin or Referer that matches that allowlist. Server-side calls such as cron jobs, backends, and CLI clients should use a key without allowed domains.

  • Browser-scoped key: use only when you intentionally want the key bound to specific origins.
  • Server-side key: leave allowed domains empty so backend requests and automations are not blocked.
  • Hosted MCP: requires a server-side key with no allowed domains.

Security Warning

Your API keys carry many privileges. Do not embed unrestricted keys in client-side code, mobile apps, browser extensions, or public repositories. Use a backend proxy, server action, or a domain-restricted key if you intentionally expose browser-origin traffic.

Next Steps

Handle errors, rate limits, and async job polling correctly after auth is in place.

Errors & Limits SDKs & Libraries