s.id Logo
Developer Platform

Authentication

Two ways to authenticate with the s.id API — API keys for server-to-server, OAuth 2.0 for acting on behalf of users.

API Keys

API keys authenticate server-to-server integrations. Create one in Dashboard → Developer → API Keys, pick your scopes, and pass it as a Bearer token.

Authorization header

Authorization: Bearer sk_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Example request

curl https://api.s.id/v2/links \
  -H "Authorization: Bearer sk_live_..."

Available scopes

links:readList and read links
links:writeCreate and update links (create, edit, restore)
links:archiveArchive links
links:analyticsRead per-link click statistics and lifetime counts
qr:readRead QR code settings (global and per-link)
qr:writeCustomize QR code settings (global and per-link)
user:readRead the authenticated user profile and account quota
microsites:readRead microsites
microsites:writeCreate, update, delete and manage components of microsites
  • Keys start with sk_live_ and are shown only once at creation.
  • Request only the minimum scopes your integration needs.
  • Revoke keys immediately if compromised — create a new one.
  • Never expose API keys client-side (browsers, mobile apps).

OAuth 2.0

Use the authorization-code flow to act on behalf of s.id users. Your app redirects the user to s.id for approval, then exchanges the code for an access token.

Authorization flow

  1. 1Redirect user
    GET https://dash.s.id/oauth/authorize
      ?client_id=YOUR_CLIENT_ID
      &redirect_uri=https://yourapp.com/callback
      &response_type=code
      &scope=links:read links:write
      &state=RANDOM_STATE
      &code_challenge=CODE_CHALLENGE
      &code_challenge_method=S256
  2. 2Exchange code for token
    POST https://app.s.id/oauth/token
      Content-Type: application/x-www-form-urlencoded
    
      grant_type=authorization_code
      &code=AUTH_CODE
      &redirect_uri=https://yourapp.com/callback
      &client_id=YOUR_CLIENT_ID
      &client_secret=YOUR_CLIENT_SECRET
      &code_verifier=CODE_VERIFIER
  3. 3Use access token
    GET https://app.s.id/oauth/userinfo
      Authorization: Bearer ACCESS_TOKEN

PKCE (S256) is required for public clients — apps without a client secret (SPA, mobile, CLI) — and optional for confidential clients. Add code_challenge and code_challenge_method to step 1, and code_verifier to step 2. The resulting access token works like an API key on any /v2 endpoint, scoped to what the user granted.

Developer Platform