Authentication
Two ways to authenticate with the s.id API — API keys for server-to-server, OAuth 2.0 for acting on behalf of users.
API Keys
API keys authenticate server-to-server integrations. Create one in Dashboard → Developer → API Keys, pick your scopes, and pass it as a Bearer token.
Authorization header
Authorization: Bearer sk_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxExample request
curl https://api.s.id/v2/links \
-H "Authorization: Bearer sk_live_..."
Available scopes
links:readList and read linkslinks:writeCreate and update links (create, edit, restore)links:archiveArchive linkslinks:analyticsRead per-link click statistics and lifetime countsqr:readRead QR code settings (global and per-link)qr:writeCustomize QR code settings (global and per-link)user:readRead the authenticated user profile and account quotamicrosites:readRead micrositesmicrosites:writeCreate, update, delete and manage components of microsites- •Keys start with sk_live_ and are shown only once at creation.
- •Request only the minimum scopes your integration needs.
- •Revoke keys immediately if compromised — create a new one.
- •Never expose API keys client-side (browsers, mobile apps).
OAuth 2.0
Use the authorization-code flow to act on behalf of s.id users. Your app redirects the user to s.id for approval, then exchanges the code for an access token.
Authorization flow
- 1Redirect user
GET https://dash.s.id/oauth/authorize ?client_id=YOUR_CLIENT_ID &redirect_uri=https://yourapp.com/callback &response_type=code &scope=links:read links:write &state=RANDOM_STATE &code_challenge=CODE_CHALLENGE &code_challenge_method=S256 - 2Exchange code for token
POST https://app.s.id/oauth/token Content-Type: application/x-www-form-urlencoded grant_type=authorization_code &code=AUTH_CODE &redirect_uri=https://yourapp.com/callback &client_id=YOUR_CLIENT_ID &client_secret=YOUR_CLIENT_SECRET &code_verifier=CODE_VERIFIER - 3Use access token
GET https://app.s.id/oauth/userinfo Authorization: Bearer ACCESS_TOKEN
PKCE (S256) is required for public clients — apps without a client secret (SPA, mobile, CLI) — and optional for confidential clients. Add code_challenge and code_challenge_method to step 1, and code_verifier to step 2. The resulting access token works like an API key on any /v2 endpoint, scoped to what the user granted.