Authentication
All Affilync API requests require authentication. You can use either JWT tokens (for user sessions) or API keys (for server-to-server integrations).
Base URL
https://api.affilync.com/api
All endpoints are prefixed with /api/.
Option 1: API Key Authentication
Include your API key in the X-API-Key header:
curl https://api.affilync.com/api/campaigns \
-H "X-API-Key: afk_live_abc123xyz..."
API keys are only accepted via the
X-API-Keyheader. Sending an API key asAuthorization: Bearer …will fail — that header is reserved for JWT access tokens.
API keys are created in Settings > Security > API Keys. See Security for key management details.
Option 2: JWT Authentication
Login
curl -X POST https://api.affilync.com/api/auth/login/affiliate \
-H "Content-Type: application/json" \
-d '{
"email": "[email protected]",
"password": "your-password"
}'
Or for brands:
curl -X POST https://api.affilync.com/api/auth/login/brand \
-H "Content-Type: application/json" \
-d '{
"email": "[email protected]",
"password": "your-password"
}'
Response (200):
{
"success": true,
"message": "Login successful",
"access_token": "eyJhbGciOiJSUzI1NiIs...",
"refresh_token": "eyJhbGciOiJSUzI1NiIs...",
"token_type": "bearer",
"expires_in": 900,
"user": {
"id": "uuid",
"email": "[email protected]",
"user_type": "affiliate",
"subscription_tier": "free"
}
}
Use the Access Token
Include the access token in subsequent requests:
curl https://api.affilync.com/api/campaigns \
-H "Authorization: Bearer eyJhbGciOiJSUzI1NiIs..."
Refresh the Token
Access tokens expire after 15 minutes. Use the refresh token to get a new pair:
curl -X POST https://api.affilync.com/api/auth/refresh \
-H "Content-Type: application/json" \
-d '{
"refresh_token": "eyJhbGciOiJSUzI1NiIs..."
}'
Response (200):
{
"access_token": "eyJhbGciOiJSUzI1NiIs...",
"refresh_token": "eyJhbGciOiJSUzI1NiIs...",
"token_type": "bearer",
"expires_in": 900
}
Refresh tokens expire after 3 days or when a new refresh token is issued. Sessions are invalidated on each login to prevent session fixation attacks.
Two-Factor Authentication (2FA)
Enable TOTP-based two-factor authentication for enhanced account security. When 2FA is enabled on login, the API returns an MFA challenge token instead of full credentials.
Setup 2FA
curl -X POST https://api.affilync.com/api/2fa/setup \
-H "Authorization: Bearer eyJhbGciOiJSUzI1NiIs..."
Response (200):
{
"success": true,
"qr_code": "data:image/png;base64,...",
"secret": "JBSWY3DPEBLW64TMMQ======",
"backup_codes": [
"a1b2c3d4",
"e5f6g7h8",
...
],
"message": "Scan the QR code with your authenticator app"
}
Enable 2FA
curl -X POST https://api.affilync.com/api/2fa/enable \
-H "Authorization: Bearer eyJhbGciOiJSUzI1NiIs..." \
-H "Content-Type: application/json" \
-d '{
"totp_code": "123456"
}'
Verify 2FA on Login
When 2FA is enabled, login returns an MFA challenge token. Verify the TOTP code:
curl -X POST https://api.affilync.com/api/2fa/verify \
-H "Content-Type: application/json" \
-d '{
"mfa_challenge_token": "eyJhbGciOiJSUzI1NiIs...",
"totp_code": "123456"
}'
Get 2FA Status
curl -X GET https://api.affilync.com/api/2fa/status \
-H "Authorization: Bearer eyJhbGciOiJSUzI1NiIs..."
Response (200):
{
"enabled": true,
"backup_codes_remaining": 7,
"setup_completed_at": "2024-01-15T10:30:00Z"
}
Disable 2FA
curl -X POST https://api.affilync.com/api/2fa/disable \
-H "Authorization: Bearer eyJhbGciOiJSUzI1NiIs..." \
-H "Content-Type: application/json" \
-d '{
"password": "your-password"
}'
Token Details
| Property | Value |
|---|---|
| Access token lifetime | 15 minutes |
| Refresh token lifetime | 3 days |
| Token format | JWT (JSON Web Token) |
| Authorization header | Authorization: Bearer <access_token> |
Error Responses
| Status | Meaning |
|---|---|
401 Unauthorized | Missing, expired, or invalid token |
403 Forbidden | Valid token but insufficient permissions/scopes; or MFA required |
423 Locked | Too many failed login attempts; account temporarily locked |
{
"detail": "Token has expired",
"error_code": "TOKEN_EXPIRED"
}
MFA-required response:
{
"success": false,
"mfa_required": true,
"mfa_challenge_token": "eyJhbGciOiJSUzI1NiIs...",
"message": "Two-factor authentication required. Please verify with your authenticator app."
}
Best Practices
- Use API keys for backend integrations and JWT tokens for user-facing applications.
- Store tokens securely -- never expose them in client-side code or URLs.
- Always use httpOnly cookies for web clients; mobile clients may receive tokens in the response body.
- Implement automatic token refresh before the 15-minute expiry to avoid interruptions.
- Restrict each API key with an IP allowlist so it can only be used from your own servers.
- Enable 2FA on all production accounts for enhanced security.
- Rotate API keys regularly (recommended: every 90 days).