API Docs
Authentication

Authentication

Shortify has three credential scopes. Every credential is sent in the api-key header, but each one is accepted only by its matching API family.

Credential Types

Server API Key

sk_live_ or existing sk_web_

Server-only

Short-link and deep-link creation and management, domains, server events, and analytics.

Short-link Client Key

pk_live_ or existing sk_mobile_

Short-link clients

Short-link resolve, click, and event routes on Web, Android, and iOS.

App API Key

pk_app_live_

Native deep-link clients

App-scoped deep-link resolution, attribution, and customer event routes.

Headers

ParameterTypeRequiredDescription
api-keystring
Required
The credential matching the requested API family.
x-shortify-platformbrowser | android | ios
Optional
Required for native clients; browser is inferred from Origin and supported only for short-link routes.
x-shortify-environmentstring
Optional
Optional client environment label. Defaults to live.
Server API Key
curl "https://api.shortify.com/v1/links" \
  -H "api-key: sk_live_your_server_key"
Short-link Client Key
curl -X POST "https://api.shortify.com/v1/client/short-links/resolve" \
  -H "api-key: pk_live_your_short_link_client_key" \
  -H "x-shortify-platform: browser" \
  -H "Origin: https://app.example.com" \
  -H "Content-Type: application/json" \
  --data '{"linkId":"link_123"}'

Scope Enforcement

A known credential used on the wrong API family returns 403. Unknown or missing credentials return 401. App API Keys reject browser requests and authorize only the configured app's deep links.