All Public API requests are authenticated with an API key. Pass it in the
X-API-Key HTTP request header — this is the preferred method:
GET https://your-domain.scaleo.io/api/v2/affiliate/profile
X-API-Key: YOUR_KEY
The user account that owns the key must have api_status enabled.
Deprecated: api-key query parameter
The api-key URL query parameter is still accepted for backwards compatibility
but is deprecated and will be removed in a future release:
GET https://your-domain.scaleo.io/api/v2/affiliate/profile?api-key=YOUR_KEY
Migrate to the X-API-Key header. Support for the api-key query parameter
will be removed approximately 6 months after this notice.
Role scoping
Each API key is bound to a specific user role and cannot call endpoints
outside that role:
| Role | Endpoint prefix |
|---|
| Manager | /api/v2/network/... |
| Advertiser | /api/v2/advertiser/... |
| Affiliate | /api/v2/affiliate/... |
Calling an endpoint with the wrong role’s key returns 403 Forbidden.
Where to find your key
- Affiliate / Advertiser — dashboard → Profile → API.
- Manager — admin panel → Users → Managers → → API.
Keys can be regenerated at any time. Regeneration invalidates the previous
key immediately.
Security best practices
The X-API-Key header keeps your API key out of URLs, request logs, and
browser history — always prefer the header over the query parameter.
- Use HTTPS only — HTTP does not protect the key in transit.
- If a key is leaked, rotate it from the dashboard immediately.
- For server-to-server integrations, store keys in a secrets manager
(e.g. AWS Secrets Manager, HashiCorp Vault) rather than in source control.