> ## Documentation Index
> Fetch the complete documentation index at: https://docs.scaleo.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> API keys and role scoping for the Scaleo Public API.

All Public API requests are authenticated with an **API key**. Pass it in the
`X-API-Key` HTTP request header — this is the **preferred** method:

```
GET https://your-domain.scaleo.io/api/v2/affiliate/profile
X-API-Key: YOUR_KEY
```

The user account that owns the key must have `api_status` enabled.

## Deprecated: `api-key` query parameter

The `api-key` URL query parameter is still accepted for backwards compatibility
but is **deprecated** and will be removed in a future release:

```
GET https://your-domain.scaleo.io/api/v2/affiliate/profile?api-key=YOUR_KEY
```

<Warning>
  Migrate to the `X-API-Key` header. Support for the `api-key` query parameter
  will be removed approximately 6 months after this notice.
</Warning>

## Role scoping

Each API key is bound to a specific user role and **cannot** call endpoints
outside that role:

| Role       | Endpoint prefix          |
| ---------- | ------------------------ |
| Manager    | `/api/v2/network/...`    |
| Advertiser | `/api/v2/advertiser/...` |
| Affiliate  | `/api/v2/affiliate/...`  |

Calling an endpoint with the wrong role's key returns `403 Forbidden`.

## Where to find your key

* **Affiliate / Advertiser** — dashboard → **Profile → API**.
* **Manager** — admin panel → **Users → Managers → {user} → API**.

Keys can be regenerated at any time. Regeneration invalidates the previous
key immediately.

## Security best practices

<Tip>
  The `X-API-Key` header keeps your API key out of URLs, request logs, and
  browser history — always prefer the header over the query parameter.
</Tip>

* Use **HTTPS** only — HTTP does not protect the key in transit.
* If a key is leaked, rotate it from the dashboard immediately.
* For server-to-server integrations, store keys in a secrets manager
  (e.g. AWS Secrets Manager, HashiCorp Vault) rather than in source control.
