Brandfine Docs
REST API

Authentication

Workspace-scoped X-Api-Key header. One key per workspace.

Every /external/* request is authenticated with a single HTTP header:

X-Api-Key: bk_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

The key resolves to exactly one workspace. Brandfine identifies which tenant's content to return from the key alone — no workspace ID or tenant slug in the URL.

Getting a key

  1. Sign in to the CMS at cms.brandfine.co.
  2. Open your workspace → SettingsAPI keys.
  3. Click Reveal on the existing key, or Rotate to mint a new one. (Rotation revokes the old key immediately.)

Storing the key safely

  • Server-side only. Never ship the key to a browser. The SDK refuses to construct a client without one because all requests pass through SSR / server functions, not the client.
  • One key per environment. Use separate workspaces for staging vs. production rather than reusing the same key.
  • Environment variable. Convention: BRANDFINE_API_KEY.

What the key can do

Workspace API keys are read-only over the external surface. They can:

  • GET /external/workspace
  • GET /external/posts/*
  • GET /external/categories
  • GET /external/navigations/:key

They cannot:

  • Write any data (creates/edits/deletes happen via the CMS UI).
  • Read other workspaces' data.
  • Hit internal /ws/<team>/* endpoints (those use session auth, not API keys).

Errors

CodeMeaning
401Missing / invalid / revoked API key.
404The resource exists for some workspace but not yours, OR doesn't exist at all. (Returned uniformly to avoid leaking workspace existence.)
429Rate limited. Back off and retry.
5xxBrandfine server issue. The SDK serves stale cache on these; you should too.

Translation groups

How Brandfine ties locale variants of the same article together.

GET /external/workspace

Workspace metadata, customConfig, and schemaOrg.

On this page

Getting a keyStoring the key safelyWhat the key can doErrors