Projects
A project groups everything tied to one site: generated images, API keys, and the domains allowed to call the public meta-tag endpoint. Every request — meta tag or API — is scoped to exactly one project.
Public ID vs project ID
Each project has two identifiers:
| Identifier | Format | Where it’s used |
|---|---|---|
id (UUID) | 550e8400-... | API bodies: POST /api/images/generate |
publicId | 8-char slug | Public meta-tag URL: /og/{publicId}?url=... |
The public ID is safe to expose in HTML; the UUID is only used in authenticated API calls.
Domain allowlist
The public OG endpoint (GET /og/:publicId) optionally enforces a per-project domain allowlist. Leave the list empty and any URL is served; add one or more domains and requests whose URL host doesn’t match are rejected with 403 domain_not_allowed. Matching is host-based — example.com covers example.com and any subdomain (e.g. www.example.com, blog.example.com).
Generation is never blocked by the allowlist — the check only runs when the public GET endpoint serves an image. Authenticated API calls (POST /api/images/generate) ignore the allowlist entirely; API keys are the authorization there.
Leaving the allowlist empty is fine for most projects. Add domains when you want to stop someone else from pasting your public ID into their <meta> tag and burning your quota.
Plan limits
| Plan | Projects | Domains per project |
|---|---|---|
| Free | 1 | 1 |
| Plus | 5 | 3 |
| Pro | Unlimited | Unlimited |
Creating a project
Dashboard → Projects → New project. Provide a name; domains are optional. The public ID is generated automatically and cannot be changed.
Deleting a project
Deletion is permanent and cascades: all API keys scoped to the project are revoked, all generated image records are removed, and the public ID stops working. The dashboard requires typing the project name to confirm.