Authenticate REST API requests with an API key. Send the key in the X-Api-Key header on every request.
API operations
Key concepts
API Key
API key authentication via the X-Api-Key header. Keys have the format ac_live_ followed by a base64-encoded value. The server hashes the key with SHA256 to look up the associated user, organization, and (when scoped) advertiser.
Bearer Token
GET /v1/me also accepts a bearer token in addition to X-Api-Key, useful when the caller already has a session credential. All other endpoints expect X-Api-Key.
Unresolved Principal
An authenticated principal can lack a resolved AdCritter context. When that happens, GET /v1/me returns a 200 response with user.id and organization.id set to null - treat that as 'authenticated but not yet provisioned' rather than as an error.
When building apps
*Handling Your API Key
Store the key as a server-side secret and proxy all requests through a server-side function so it never reaches the browser. Keys cannot be retrieved after creation, so save the value when it's first issued and rotate by creating a new key.