Authentication
Every API request must be authenticated with your API key. Pass the
key in the Authorization header using the Basic scheme, with the key (including its
key- prefix) as the credential:
Authorization: Basic key-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
note
Unlike standard HTTP Basic auth, you send the raw API key — not a base64-encoded
user:password string. Just put Basic followed by your key-... value.
Example request
curl https://api.prolinksqr.com/links \
-H "Authorization: Basic key-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
For requests with a body, also set the content type:
curl -X POST https://api.prolinksqr.com/folders \
-H "Authorization: Basic key-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" \
-H "Content-Type: application/json" \
-d '{ "name": "Campaigns" }'
Scopes and permissions
Each endpoint requires a specific scope. A request succeeds only if your key includes
that scope (or the catch-all all scope). This table maps every API-key endpoint to
its required scope:
| Method & path | Required scope |
|---|---|
GET /links, GET /links/:id | links.read |
POST /links | links.create |
PUT /links/:id, PATCH /links/:id | links.update |
DELETE /links/:id, POST /links/:id/archive | links.delete |
POST /links/:id/pause | links.pause |
POST /links/:id/resume | links.resume |
POST /links/:id/duplicate | links.create |
POST /links/:id/save-template | templates.create |
GET /folders, GET /folders/:id | folders.read |
POST /folders | folders.create |
PUT /folders/:id | folders.update |
DELETE /folders/:id | folders.delete |
GET /templates, GET /templates/:id | templates.read |
POST /templates | templates.create |
PUT /templates/:id | templates.update |
DELETE /templates/:id | templates.delete |
POST /bulk-generate | bulk.create |
GET /cafes, GET /cafes/:id (and nested reads) | cafe.read |
POST /cafes | cafe.create |
PUT /cafes/:id (and nested writes) | cafe.update |
DELETE /cafes/:id | cafe.delete |
Auth errors
| Status | Cause |
|---|---|
401 | Missing Authorization header, malformed key, or the key is inactive/deleted. |
403 | The key is valid but does not include the scope the endpoint requires. |
{ "message": "You do not have permission to perform this action." }
Keeping keys safe
- Treat API keys like passwords. Never commit them to source control or expose them in client-side code.
- Use a separate key per integration so you can revoke one without affecting others.
- Rotate keys periodically: create a new key, switch your integration over, then delete the old one.