Authentication & API Security
Click analytics and A/B tests for growth
JWT Authentication Flow
LinkForge API uses JSON Web Tokens (JWT) for stateless authentication. Tokens are issued after OAuth 2.0 authorization and expire after 3600 seconds.
Include Authorization: Bearer <token> in every request header. Refresh tokens remain valid for 730 days and must be exchanged for new access tokens via POST /auth/token/refresh. Failed authentication returns 401 Unauthorized with a retry-after header when rate limits are approached.
Key Generation & Access Scopes
Generate keys directly from your dashboard under Settings > API. Each key is prefixed with lfk_ and follows a 48-character alphanumeric format.
Read-Only Scope
Prefix: lfk_r_. Grants access to GET /analytics, GET /links, and GET /webhooks. Ideal for reporting dashboards and third-party BI tools like Tableau or Metabase.
Write Scope
Prefix: lfk_w_. Enables POST /links, PUT /links/{id}, and DELETE /webhooks. Used by CI/CD pipelines and internal automation scripts.
Admin Scope
Prefix: lfk_a_. Full access including team management and billing endpoints. Requires two-factor authentication and IP allowlisting.
Storage, Rotation & Rate Limits
Protect your integration by following industry-standard security practices. LinkForge enforces strict rate limits to prevent abuse and ensure platform stability.
Never commit keys to version control. Use environment variables or secret managers like HashiCorp Vault or AWS Secrets Manager. Rotate keys every 90 days via the dashboard or POST /api/keys/rotate. Standard rate limits are 1200 requests per hour per key, with burst allowances up to 50 requests per minute. Exceeding limits triggers 429 Too Many Requests headers. Implement exponential backoff and monitor usage through the X-RateLimit-Remaining response header.