Embedly requires authentication on all endpoints.


Need an API Key?

No problem! Sign up for one at app.embed.ly

To authenticate your requests, include key as a query parameter, it should look like this::

https://api.embedly.com/:version/:endpoint?key=:key&<additional query parameters>

Choose :version and :endpoint depending on the part of the API that you want to access, e.g. 1/oembed for the /1/oembed or 1/extract for the /1/extract. Replace :key with the unique API key shown in the app dashboard..

Restricting Access

By default, Embedly allows requests from anywhere. Tighter security is also an option. You can use the API > Key section of the app dashboard to create a whitelist of referrers and/or IP addresses that Embedly will accept requests from. All other requests will be rejected with a 403 Forbidden response.

We use a simple "globbing" syntax for referrers, where * is a wildcard that will match any number of characters. To allow all traffic from yourdomain.com (but not its subdomains), you would enter yourdomain.com*. To allow subdomains as well, you would make it *yourdomain.com*. Take note of the wildcard at the end, which means that requests that indicate a path as well as a host (e.g. yourdomain.com/foo) will be accepted.

Globbing works similarly for IP addresses. If all of your requests come from a cluster of servers with IP addresses in the range to, then you would set a single rule 1.1.1.*.


Two-legged OAuth is supported as an alternative to key-based authentication.

Your account can only be configured to use either key-based authentication or OAuth, not both. To switch from one form of authentication to the other, visit the API > Key section of the app dashboard.