Authentication
Authentication
Shortify has three credential scopes. Every credential is sent in the api-key header, but each one is accepted only by its matching API family.
Keep the Server API Key off clients
Never ship a Server API Key in browser code, mobile bundles, public repositories, logs, or support tickets. Client applications must use the scoped Short-link Client Key or App API Key.
Credential Types
Server API Key
sk_live_ or existing sk_web_
Server-only
Short-link and deep-link creation and management, domains, server events, and analytics.
Short-link Client Key
pk_live_ or existing sk_mobile_
Short-link clients
Short-link resolve, click, and event routes on Web, Android, and iOS.
App API Key
pk_app_live_
Native deep-link clients
App-scoped deep-link resolution, attribution, and customer event routes.
Headers
| Parameter | Type | Required | Description |
|---|---|---|---|
| api-key | string | Required | The credential matching the requested API family. |
| x-shortify-platform | browser | android | ios | Optional | Required for native clients; browser is inferred from Origin and supported only for short-link routes. |
| x-shortify-environment | string | Optional | Optional client environment label. Defaults to live. |
Server API Key
curl "https://api.shortify.com/v1/links" \
-H "api-key: sk_live_your_server_key"Short-link Client Key
curl -X POST "https://api.shortify.com/v1/client/short-links/resolve" \
-H "api-key: pk_live_your_short_link_client_key" \
-H "x-shortify-platform: browser" \
-H "Origin: https://app.example.com" \
-H "Content-Type: application/json" \
--data '{"linkId":"link_123"}'Scope Enforcement
A known credential used on the wrong API family returns 403. Unknown or missing credentials return 401. App API Keys reject browser requests and authorize only the configured app's deep links.