What authentication methods does PeakMetrics support?

PeakMetrics supports API keys for direct programmatic access and OAuth 2.0 for third-party application authorization, offering flexibility for various integration scenarios.

How do I get an API key for PeakMetrics?

You can generate an API key by logging into your PeakMetrics account, navigating to the 'API Settings' or 'Developer Settings' section in your dashboard, and following the instructions to create and securely store your key.

What is the difference between an API key and OAuth 2.0 for PeakMetrics?

An API key is a direct credential for server-to-server communication, while OAuth 2.0 is an authorization framework allowing third-party applications to access user data without directly handling their credentials, suitable for delegated access and client-side applications.

Is all communication with the PeakMetrics API encrypted?

Yes, all API communication with PeakMetrics is enforced over HTTPS/TLS, ensuring that data transmitted between your application and the PeakMetrics API is encrypted and secure.

How do I secure my PeakMetrics API credentials?

Secure your credentials by storing them in environment variables or secret management services, avoiding hardcoding them. Regularly rotate keys and restrict privileges to the minimum necessary for your application.

Can I use OAuth 2.0 with a client-side application?

Yes, PeakMetrics's OAuth 2.0 implementation supports flows like the Authorization Code Flow, which is suitable for client-side web applications, mobile apps, and other scenarios requiring user interaction for authorization.

Does PeakMetrics offer granular permissions for API keys?

While the documentation for specific granular permissions is within the PeakMetrics platform, it's a security best practice to generate API keys with the least necessary privileges. Check your 'API Settings' for available options.

PeakMetrics Authentication: API Key & OAuth 2.0 (2026)

Authentication overview

PeakMetrics provides real-time media intelligence and analytics through its platform, accessible via an API for programmatic integration. Authenticating with the PeakMetrics API is a prerequisite for making authorized requests to access data such as media mentions, sentiment analysis, and crisis alerts. The API supports standard authentication mechanisms designed to secure data transmission and ensure that only authorized applications and users can interact with the service. All API communication with PeakMetrics is encrypted using HTTPS/TLS to protect data in transit, aligning with industry security practices for web services, as detailed in the Cloudflare TLS overview.

Developers integrating with PeakMetrics have two primary methods for authenticating their requests: API keys and OAuth 2.0. The choice between these methods typically depends on the application's nature and the level of access control required. API keys offer a straightforward approach for server-to-server communication or script-based integrations, while OAuth 2.0 is designed for scenarios where third-party applications need to access user data without directly handling user credentials, adhering to the OAuth 2.0 framework specifications.

Supported authentication methods

PeakMetrics supports two main authentication methods to accommodate various integration needs:

API Keys: A simple, token-based authentication mechanism where a unique, secret key is generated and used to identify and authenticate the calling application or user. API keys are typically passed in the Authorization header of HTTP requests as a Bearer token. This method is suitable for direct application-to-application communication where the key can be securely stored and managed on the server side.
OAuth 2.0: An industry-standard protocol for authorization that allows applications to obtain limited access to user accounts on an HTTP service, such as the PeakMetrics API. OAuth 2.0 delegates user authentication to the service hosting the user's account and authorizes third-party applications to access that user's account with an access token. PeakMetrics supports standard OAuth 2.0 grant types, including the Authorization Code Flow for web applications and the Client Credentials Flow for server-to-server integrations where the client is also the resource owner.

The following table summarizes the key characteristics of each method:

Method	When to Use	Security Level	Complexity
API Key	Server-side applications, scripts, internal tools, direct API access from trusted environments.	Moderate (requires secure storage and transmission)	Low
OAuth 2.0	Third-party applications, client-side applications, mobile apps, integrations requiring delegated authorization.	High (token-based, scope-limited, refresh tokens available)	Moderate to High

Getting your credentials

To authenticate with the PeakMetrics API, you must first obtain the necessary credentials from your PeakMetrics account. The process varies slightly depending on whether you opt for API key access or OAuth 2.0.

For API Keys:

Log in to PeakMetrics: Access your PeakMetrics account through the web interface at app.peakmetrics.com.
Navigate to API Settings: Once logged in, locate the "API Settings" or "Developer Settings" section within your account dashboard. The exact path may vary but is typically found under your user profile or administrative settings.
Generate an API Key: Within the API settings, you will find an option to generate new API keys. PeakMetrics may allow you to create multiple keys for different applications or environments. It is recommended to label your keys clearly for better management.
Copy and Store Securely: Upon generation, the API key will be displayed. It is crucial to copy this key immediately and store it in a secure location. For security reasons, the key may only be shown once and cannot be retrieved later. If lost, you will need to generate a new key.

For OAuth 2.0:

Register Your Application: Before using OAuth 2.0, you must register your application with PeakMetrics. This process typically involves providing details such as your application's name, description, and one or more redirect URIs (callback URLs) where users will be sent after authorizing your application. This registration usually occurs within the same "Developer Settings" section of your PeakMetrics account.
Obtain Client ID and Client Secret: Upon successful application registration, PeakMetrics will issue a Client ID and a Client Secret. The Client ID is a publicly exposed string that represents your application, while the Client Secret is a confidential string known only to your application and the authorization server.
Configure Redirect URIs: Ensure that the redirect URIs configured in your PeakMetrics application settings exactly match the URIs used by your application. Mismatched URIs are a common cause of OAuth 2.0 authentication failures.
Implement OAuth 2.0 Flow: Your application will then need to implement the appropriate OAuth 2.0 flow (e.g., Authorization Code Flow) to obtain an access token. This involves directing users to PeakMetrics' authorization endpoint, handling the callback to your redirect URI, and exchanging the authorization code for an access token using your Client ID and Client Secret.

Refer to the PeakMetrics official documentation for specific steps and up-to-date instructions on credential retrieval and management.

Authenticated request example

Once you have obtained your API key, you can use it to make authenticated requests to the PeakMetrics API. The API key should be included in the Authorization header of your HTTP requests as a Bearer token. Below is an example using curl to fetch data from a hypothetical PeakMetrics API endpoint.

curl -X GET \
  'https://api.peakmetrics.com/v1/mentions?topic_id=12345' \
  -H 'Authorization: Bearer YOUR_API_KEY' \
  -H 'Content-Type: application/json'

In this example:

YOUR_API_KEY should be replaced with the actual API key you generated from your PeakMetrics account.
https://api.peakmetrics.com/v1/mentions?topic_id=12345 represents a hypothetical endpoint to retrieve mentions for a specific topic.
The -H 'Authorization: Bearer YOUR_API_KEY' header is essential for authenticating your request.
The -H 'Content-Type: application/json' header indicates that the request expects a JSON response.

For OAuth 2.0, after successfully completing the authorization flow and obtaining an access token, you would use it similarly:

curl -X GET \
  'https://api.peakmetrics.com/v1/user/profile' \
  -H 'Authorization: Bearer YOUR_ACCESS_TOKEN' \
  -H 'Content-Type: application/json'

Here, YOUR_ACCESS_TOKEN is the token obtained through the OAuth 2.0 flow, which typically has a limited lifespan and may require refreshing.

Security best practices

Adhering to security best practices is crucial when handling API credentials to protect your data and maintain the integrity of your integrations with PeakMetrics. PeakMetrics itself is SOC 2 Type II compliant, indicating adherence to rigorous security standards. Your implementation should reflect similar diligence.

Secure Credential Storage: Never hardcode API keys or client secrets directly into your application's source code. Store them in environment variables, secure configuration files, or dedicated secret management services (e.g., AWS Secrets Manager, Azure Key Vault, Google Cloud Secret Manager).
Use HTTPS/TLS: Always ensure all communication with the PeakMetrics API occurs over HTTPS/TLS. This encrypts data in transit, preventing eavesdropping and tampering. PeakMetrics enforces HTTPS for all API endpoints.
Restrict API Key Privileges: If PeakMetrics offers granular permissions for API keys, generate keys with the minimum necessary privileges required for your application's functionality. This principle of least privilege limits the potential damage if a key is compromised.
Rotate API Keys and Client Secrets: Regularly rotate your API keys and client secrets. This practice minimizes the window of opportunity for a compromised credential to be exploited. Establish a scheduled rotation policy.
Implement OAuth 2.0 Securely: For OAuth 2.0 implementations, always validate the state parameter to prevent Cross-Site Request Forgery (CSRF) attacks. Ensure your redirect URIs are strictly registered and match exactly.
Error Handling and Logging: Implement robust error handling for authentication failures and log relevant events (e.g., failed authentication attempts) for auditing and monitoring purposes. Avoid exposing sensitive information in error messages.
Rate Limiting and Throttling: Be aware of and respect PeakMetrics's API rate limits. Excessive requests can lead to temporary blocking, which, while not a direct security measure, can impact application availability.
Monitor for Suspicious Activity: Regularly monitor your application's API usage for any unusual patterns or suspicious activity that might indicate a compromised key or unauthorized access.
Review PeakMetrics Documentation: Always refer to the official PeakMetrics API documentation for the latest security recommendations and specific implementation details.