Two ways to authenticate with the s.id API — API keys for server-to-server, OAuth 2.0 for acting on behalf of users.
API keys authenticate server-to-server integrations. Create one in Dashboard → Developer → API Keys, pick your scopes, and pass it as a Bearer token.
Authorization header
Authorization: Bearer sk_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxExample request
curl https://api.s.id/v2/links \
-H "Authorization: Bearer sk_live_..."
Available scopes
links:readList and read linkslinks:writeCreate and update links (create, edit, restore)links:archiveArchive linkslinks:analyticsRead per-link click statistics and lifetime countsqr:readRead QR code settings (global and per-link)qr:writeCustomize QR code settings (global and per-link)user:readRead the authenticated user profile and account quotamicrosites:readRead micrositesmicrosites:writeCreate, update, delete and manage components of micrositesUse the authorization-code flow to act on behalf of s.id users. Your app redirects the user to s.id for approval, then exchanges the code for an access token.
Authorization flow
GET https://dash.s.id/oauth/authorize
?client_id=YOUR_CLIENT_ID
&redirect_uri=https://yourapp.com/callback
&response_type=code
&scope=links:read links:write
&state=RANDOM_STATE
&code_challenge=CODE_CHALLENGE
&code_challenge_method=S256POST https://app.s.id/oauth/token
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code
&code=AUTH_CODE
&redirect_uri=https://yourapp.com/callback
&client_id=YOUR_CLIENT_ID
&client_secret=YOUR_CLIENT_SECRET
&code_verifier=CODE_VERIFIERGET https://app.s.id/oauth/userinfo
Authorization: Bearer ACCESS_TOKENPKCE (S256) is required for public clients — apps without a client secret (SPA, mobile, CLI) — and optional for confidential clients. Add code_challenge and code_challenge_method to step 1, and code_verifier to step 2. The resulting access token works like an API key on any /v2 endpoint, scoped to what the user granted.