API keys
SeoFreshUp uses your own API keys for all third-party services. Here’s a complete list of which keys do what, where to get them, and which are mandatory vs optional.
Mandatory
| Key | Purpose | Where to get | Free tier |
|---|---|---|---|
| OpenRouter API key | All AI features (audit, rewrite, image gen) | openrouter.ai/keys | Pay-as-you-go, $5 minimum top-up |
Without OpenRouter, no AI feature works. The plugin will show clear error messages telling you to configure it.
Recommended (high-value)
| Key | Purpose | Where to get | Free tier |
|---|---|---|---|
| Firecrawl API key | Scrape external URLs for “info-card” enrichment during rewrite | firecrawl.dev | 500 scrapes/month free |
| Google Safe Browsing key | Detect malware/phishing in outbound links | console.cloud.google.com | 10k req/day free |
Without Firecrawl, the URL enrichment feature in the rewrite modal is hidden (other features still work).
Optional (extra threat detection)
| Key | Purpose | Where to get | Free tier |
|---|---|---|---|
| VirusTotal | Cross-check outbound URLs against 70+ AV engines | virustotal.com | 4 req/min free |
| PhishTank | Verified phishing list | phishtank.com | Free |
| URLhaus auth key | Higher rate limits on malware detection | auth.abuse.ch | Free |
| Cloudflare token + account ID | (planned) Cloudflare Workers AI integration | dash.cloudflare.com | — |
Without these, the outbound link scan still works using public endpoints (Sucuri SiteCheck, URLhaus anonymous, HTTP HEAD).
Configuration screen
In the WordPress admin: 🌿 SeoFreshUp → Settings → API Keys & Models
Each key has:
- Password input with 👁 Show/hide toggle
- 🔌 Test the key button (calls a free endpoint to verify the key is valid)
- Inline help text with a link to the provider’s signup page
Storage
All keys are stored in the wp_options table:
| Option name | Key |
|---|---|
lws_audit_openrouter_key | OpenRouter |
lws_audit_firecrawl_key | Firecrawl |
lws_audit_google_safebrowsing_key | Safe Browsing |
lws_audit_virustotal_key | VirusTotal |
lws_audit_phishtank_key | PhishTank |
lws_audit_urlhaus_key | URLhaus |
lws_audit_cloudflare_token | Cloudflare token |
lws_audit_cloudflare_account | Cloudflare account |
Stored as plain text (not encrypted). For maximum security, ensure your WP database is encrypted at rest (most managed hosting does this — LWS, Kinsta, WP Engine, etc.).
Testing all keys at once
The Settings → Requirements sub-tab runs a connectivity test for OpenRouter + Firecrawl + Google (every 5 min, cached). Green = working, red = blocked. See Troubleshooting → Connectivity if anything is red.
Rotating keys
If you suspect a key was leaked:
- Go to the provider’s dashboard, revoke the old key, create a new one
- Paste the new key in Settings → API Keys & Models
- Save
- Old key stops working immediately on the provider’s side