Skip to Content

Authentication

All API requests are authenticated using an API key passed via the X-API-KEY HTTP header. Your organisation can hold multiple keys (one per integration is common) — any active key authenticates a request. See Obtaining Your API Key to create and manage them.

curl -X GET "https://api.codelloy.com/link/external/v1/shortenedUrl?page=0&size=20" \ -H "X-API-KEY: your_api_key_here"

Important: Every request must include the X-API-KEY header. Requests without it will receive a 401 Unauthorized response.


How It Works

  1. Generate an API key from the Codelloy Dashboard.
  2. Include the key in the X-API-KEY header of every request.
  3. The server validates your key and associates the request with your organization.
  4. If the key is missing, invalid (unknown), or revoked, the API returns a 401 Unauthorized error. API keys do not expire.

Header Format

HeaderTypeRequiredDescription
X-API-KEYstringYesYour API key obtained from the dashboard
X-Request-IdstringNoYour own correlation id (≤ 200 characters). Stored on the request-log entry as Your request ID so you can match a Codelloy log to your own records.

Every response also returns an X-Request-Id header carrying Codelloy’s own id for the call. If you send your own on the request, it is kept alongside (never replaces) Codelloy’s id — see Request logs.


Example

curl -X POST "https://api.codelloy.com/link/external/v1/shortenedUrl/save" \ -H "X-API-KEY: your_api_key_here" \ -H "X-Request-Id: my-correlation-id-123" \ -H "Content-Type: application/json" \ -d '{"url": "https://example.com"}'

Error Responses

Authentication failures return HTTP 401 with the standard JSON envelope and error code SML003.

Missing API Key:

HTTP/1.1 401 Unauthorized Content-Type: application/json
{ "errors": [ { "code": "SML003", "message": "Send API key in the request" } ] }

Invalid API Key:

HTTP/1.1 401 Unauthorized Content-Type: application/json
{ "errors": [ { "code": "SML003", "message": "API Key is Invalid. Please check your API Key or generate a new one" } ] }

Revoked API Key:

A key that was revoked is a distinct auth-failure reason from an unknown key — it no longer authenticates and cannot be reactivated. Requests using it also return HTTP 401 with SML003, but carry a distinct message so you can tell a revoked key apart from an unknown one.

HTTP/1.1 401 Unauthorized Content-Type: application/json
{ "errors": [ { "code": "SML003", "message": "API Key has been revoked. Please generate a new key." } ] }
Last updated on