Appearance
Authentication
FreshEvery request to the RSS.app API must include a valid Authorization header. This page explains how to locate your credentials, format the header correctly, and handle authentication errors.
Getting Your Credentials
Log in to your RSS.app account and navigate to the API settings page. You will find two values:
- API Key — a public identifier for your account
- API Secret — a private secret that must never be exposed in client-side code
Both values are required to authenticate API requests.
The Authorization Header Format
RSS.app uses Bearer token authentication. The token is constructed by joining your API Key and API Secret with a colon character:
Authorization: Bearer YOUR_API_KEY:YOUR_API_SECRETFor example, if your API Key is abc123 and your API Secret is xyz789, the header is:
Authorization: Bearer abc123:xyz789This header must be present on every API request — there is no session mechanism or cookie-based auth.
Setting Up in Node.js
The cleanest approach in Node.js is to store your credentials in environment variables and construct the header once, then reuse it across all requests.
Step 1: Store credentials in .env
RSSAPP_API_KEY=your_api_key_here
RSSAPP_API_SECRET=your_api_secret_hereStep 2: Create a reusable axios instance
js
const axios = require('axios');
require('dotenv').config();
const apiClient = axios.create({
baseURL: 'https://api.rss.app/v1',
headers: {
Authorization: `Bearer ${process.env.RSSAPP_API_KEY}:${process.env.RSSAPP_API_SECRET}`,
'Content-Type': 'application/json',
},
});
module.exports = apiClient;Step 3: Use the client in your code
js
const apiClient = require('./apiClient');
async function listFeeds() {
const response = await apiClient.get('/feeds');
return response.data;
}By centralizing your auth header in a shared axios instance, you only ever need to change the credentials in one place.
All Requests Require HTTPS
The RSS.app API only accepts requests over HTTPS. Requests sent over plain HTTP will be rejected. The base URL https://api.rss.app enforces this at the server level — never use http:// in the base URL.
Authentication Errors
When authentication fails, the API returns HTTP 401 Unauthorized. The response body follows the standard error format:
json
{
"message": "Unauthorized",
"statusCode": 401,
"errors": [
{
"title": "Invalid credentials",
"code": "unauthorized"
}
]
}Common causes of 401 errors:
- The
Authorizationheader is missing entirely - The format is wrong — for example, using
Basicinstead ofBearer - The API Key or API Secret contains a typo
- The colon separator between key and secret is missing
- The credentials belong to a different environment or account
Security Practices
Never embed credentials in client-side code. The API Secret must remain server-side. If you call the RSS.app API from a browser-based application, proxy the requests through your own backend server. Your backend performs the authenticated call and forwards the response to the client.
Rotate credentials if exposed. If your API Secret appears in a public repository, browser source code, or any other unprotected location, regenerate it immediately from the API settings page. Old credentials become invalid as soon as new ones are generated.
Use environment variables in all environments. Do not hardcode credentials in source files, configuration files committed to version control, or Docker images. Use .env for local development, and your platform's secret management (Vercel environment variables, AWS Secrets Manager, etc.) for production.
Limit secret access. Only the server processes that need to call the API should have the credentials. Do not pass them as query parameters or include them in logs.