Skip to main content
All Public API requests are authenticated with an API key. Pass it in the X-API-Key HTTP request header — this is the preferred method:
GET https://your-domain.scaleo.io/api/v2/affiliate/profile
X-API-Key: YOUR_KEY
The user account that owns the key must have api_status enabled.

Deprecated: api-key query parameter

The api-key URL query parameter is still accepted for backwards compatibility but is deprecated and will be removed in a future release:
GET https://your-domain.scaleo.io/api/v2/affiliate/profile?api-key=YOUR_KEY
Migrate to the X-API-Key header. Support for the api-key query parameter will be removed approximately 6 months after this notice.

Role scoping

Each API key is bound to a specific user role and cannot call endpoints outside that role:
RoleEndpoint prefix
Manager/api/v2/network/...
Advertiser/api/v2/advertiser/...
Affiliate/api/v2/affiliate/...
Calling an endpoint with the wrong role’s key returns 403 Forbidden.

Where to find your key

  • Affiliate / Advertiser — dashboard → Profile → API.
  • Manager — admin panel → Users → Managers → → API.
Keys can be regenerated at any time. Regeneration invalidates the previous key immediately.

Security best practices

The X-API-Key header keeps your API key out of URLs, request logs, and browser history — always prefer the header over the query parameter.
  • Use HTTPS only — HTTP does not protect the key in transit.
  • If a key is leaked, rotate it from the dashboard immediately.
  • For server-to-server integrations, store keys in a secrets manager (e.g. AWS Secrets Manager, HashiCorp Vault) rather than in source control.