Authentication
All Affilync API requests require authentication. You can use either JWT tokens (for user sessions) or API keys (for server-to-server integrations).
Base URL
https://api.affilync.com/api
All endpoints are prefixed with /api/.
Option 1: API Key Authentication
Include your API key in the Authorization header:
curl https://api.affilync.com/api/campaigns \
-H "Authorization: Bearer afk_live_abc123xyz..."
API keys are created in Settings > Security > API Keys. See Security for scope details.
Option 2: JWT Authentication
Login
curl -X POST https://api.affilync.com/api/auth/login \
-H "Content-Type: application/json" \
-d '{
"email": "[email protected]",
"password": "your-password"
}'
Response (200):
{
"access_token": "eyJhbGciOiJIUzI1NiIs...",
"refresh_token": "eyJhbGciOiJIUzI1NiIs...",
"token_type": "bearer",
"expires_in": 3600
}
Use the Access Token
Include the access token in subsequent requests:
curl https://api.affilync.com/api/campaigns \
-H "Authorization: Bearer eyJhbGciOiJIUzI1NiIs..."
Refresh the Token
Access tokens expire after 1 hour. Use the refresh token to get a new pair:
curl -X POST https://api.affilync.com/api/auth/refresh \
-H "Content-Type: application/json" \
-d '{
"refresh_token": "eyJhbGciOiJIUzI1NiIs..."
}'
Response (200):
{
"access_token": "eyJhbGciOiJIUzI1NiIs...",
"refresh_token": "eyJhbGciOiJIUzI1NiIs...",
"token_type": "bearer",
"expires_in": 3600
}
Refresh tokens expire after 30 days or when a new refresh token is issued.
Token Details
| Property | Value |
|---|---|
| Algorithm | HS256 |
| Access token lifetime | 1 hour |
| Refresh token lifetime | 30 days |
| Token format | JWT (JSON Web Token) |
Error Responses
| Status | Meaning |
|---|---|
401 Unauthorized | Missing, expired, or invalid token |
403 Forbidden | Valid token but insufficient permissions/scopes |
{
"detail": "Token has expired",
"error_code": "TOKEN_EXPIRED"
}
Best Practices
- Use API keys for backend integrations and JWT tokens for user-facing applications.
- Store tokens securely -- never expose them in client-side code or URLs.
- Implement automatic token refresh before expiry to avoid interruptions.
- Use the narrowest API key scopes possible for each integration.