Developers/Authentication

Authentication

Learn how API keys work, manage scopes, and keep your keys secure.

How authentication works

All API requests require an API key passed via the X-API-Key header. Without a valid key, the API returns a 401 Unauthorized response.

Keys are prefixed with tai_ so you can quickly identify them in your codebase and secret managers. On our end, every key is hashed with SHA-256 before it touches the database — we never store the raw key, so treat the value you receive at creation time as a secret you cannot recover.

bash
curl -H "X-API-Key: tai_abc123..." \
  "https://api.theaffiliateindex.com/v1/programs"

API key scopes

Each key is assigned one or more scopes that control what it can access. When you create a key, select only the scopes your integration needs.

ScopeDescriptionPlan
programs:readRead program listings, search, filterFree
categories:readRead category listings and detailsFree
reviews:readRead published reviewsFree
organizations:readRead public organization profilesFree
programs:writeCreate and update program listingsPro
organizations:writeUpdate organization settingsPro
analytics:readAccess click and view analyticsPro
webhooks:manageCreate and manage webhooksPro
i
Free API keys include all read scopes by default. Write scopes require a Claimed or Pro plan.

Insufficient scope errors

If your key lacks a required scope, the API responds with a 403 Forbidden and a structured error body:

json
{
  "error": "This action requires the \"programs:write\" scope.",
  "code": "INSUFFICIENT_SCOPE"
}

To fix this, head to Dashboard → Developer and create a new key with the required scopes. Existing keys cannot have their scopes modified — this is by design so that a compromised key cannot be escalated.

Managing your keys

You can create up to 10 active keys per account. Each key displays a truncated prefix (e.g. tai_8f3a2b1c...) so you can tell them apart without exposing the full value.

Keys can be revoked at any time from the dashboard. Revocation is immediate — any in-flight request using a revoked key will receive a 401 Unauthorized response.

Manage your keys from the Developer tab in your Dashboard.

Security best practices

!

Keep your keys safe

  • Never expose API keys in client-side code (browsers, mobile apps).
  • Use environment variables to store keys — never hard-code them.
  • Rotate keys periodically, especially after team changes.
  • Use the minimum scopes your integration needs.
  • Revoke keys you are no longer using.

Store your key in an environment variable and reference it at runtime:

bash
export TAI_API_KEY="tai_your_key_here"
javascript
const response = await fetch(
  "https://api.theaffiliateindex.com/v1/programs",
  {
    headers: { "X-API-Key": process.env.TAI_API_KEY },
  }
);