Authentication
All API requests require authentication using an API key.
API Keys
API keys are used to authenticate requests. You can create and manage API keys in your dashboard settings.
Include your API key in the Authorization header:
Authorization: Bearer tk_live_your_api_keyKey Format
API keys follow this format:
tk_live_- Production keystk_test_- Test keys (sandbox environment)
Scopes
API keys have scoped permissions. Select only the scopes you need when creating a key for better security.
| Scope | Description |
|---|---|
links:read | Read link data, metadata, and click counts |
links:write | Create, update, and delete links |
analytics:read | Read detailed analytics and click data |
domains:read | Read custom domain configuration |
domains:write | Manage custom domains |
Security Best Practices
Never expose keys in client-side code
API keys should only be used in server-side code. Never include them in JavaScript bundles, mobile apps, or anywhere they could be extracted.
Use environment variables
Store your API keys in environment variables, not in your codebase. This prevents accidental exposure through version control.
# .env.local
TRIMLINK_API_KEY=tk_live_your_api_keyUse minimal scopes
Only request the scopes your application needs. If you only need to create links, don't request analytics or domain management permissions.
Rotate keys periodically
Create new API keys periodically and revoke old ones. This limits the impact if a key is compromised.
Authentication Errors
If authentication fails, you'll receive one of these errors:
| Code | Meaning |
|---|---|
401 | Missing or invalid API key |
403 | API key doesn't have required scope |