Authentication
All API requests are authenticated using an API key passed via the X-API-KEY HTTP header. Your organisation can hold multiple keys (one per integration is common) — any active key authenticates a request. See Obtaining Your API Key to create and manage them.
curl -X GET "https://api.codelloy.com/link/external/v1/shortenedUrl?page=0&size=20" \
-H "X-API-KEY: your_api_key_here"Important: Every request must include the
X-API-KEYheader. Requests without it will receive a401 Unauthorizedresponse.
How It Works
- Generate an API key from the Codelloy Dashboard.
- Include the key in the
X-API-KEYheader of every request. - The server validates your key and associates the request with your organization.
- If the key is missing, invalid (unknown), or revoked, the API returns a
401 Unauthorizederror. API keys do not expire.
Header Format
| Header | Type | Required | Description |
|---|---|---|---|
X-API-KEY | string | Yes | Your API key obtained from the dashboard |
X-Request-Id | string | No | Your own correlation id (≤ 200 characters). Stored on the request-log entry as Your request ID so you can match a Codelloy log to your own records. |
Every response also returns an X-Request-Id header carrying Codelloy’s own id for the call. If you send your own on the request, it is kept alongside (never replaces) Codelloy’s id — see Request logs.
Example
curl -X POST "https://api.codelloy.com/link/external/v1/shortenedUrl/save" \
-H "X-API-KEY: your_api_key_here" \
-H "X-Request-Id: my-correlation-id-123" \
-H "Content-Type: application/json" \
-d '{"url": "https://example.com"}'Error Responses
Authentication failures return HTTP 401 with the standard JSON envelope and error code SML003.
Missing API Key:
HTTP/1.1 401 Unauthorized
Content-Type: application/json{
"errors": [
{ "code": "SML003", "message": "Send API key in the request" }
]
}Invalid API Key:
HTTP/1.1 401 Unauthorized
Content-Type: application/json{
"errors": [
{ "code": "SML003", "message": "API Key is Invalid. Please check your API Key or generate a new one" }
]
}Revoked API Key:
A key that was revoked is a distinct auth-failure reason from an unknown key — it no longer authenticates and cannot be reactivated. Requests using it also return HTTP 401 with SML003, but carry a distinct message so you can tell a revoked key apart from an unknown one.
HTTP/1.1 401 Unauthorized
Content-Type: application/json{
"errors": [
{ "code": "SML003", "message": "API Key has been revoked. Please generate a new key." }
]
}