| title | API Keys |
|---|---|
| description | Learn how to create and manage API keys for programmatic access to Spoo.me |
| icon | key |
API keys provide programmatic access to the Spoo.me API without requiring interactive authentication. They allow you to automate URL shortening, retrieve analytics, and manage your URLs from scripts, applications, and integrations.
API keys are only available in **API v1**. The legacy v0 API does not support API key authentication.Spoo.me v1 API supports three authentication methods:
No authentication required - Lower rate limits - Cannot manage URLs later - Limited features Interactive user sessions - Full dashboard access - Manage URLs via web UI - Highest privileges Programmatic access - Scoped permissions - Long-lived tokens - Perfect for automationAPI keys can be granted specific permissions (scopes) to limit their access:
| Scope | Description | Endpoints |
|---|---|---|
shorten:create |
Create new shortened URLs | POST /api/v1/shorten |
urls:read |
View URL details and list | GET /api/v1/urls |
urls:manage |
Update and delete URLs | PATCH/DELETE /api/v1/urls/* |
stats:read |
Access analytics data | GET /api/v1/stats |
admin:all |
Full administrative access | All endpoints |
- Log in to your Spoo.me Dashboard
- Navigate to Settings → API Keys
- Click Create New API Key
- Configure your key:
- Name: Human-readable identifier (e.g., "Production Server")
- Description: Optional details about key's purpose
- Scopes: Select required permissions
- Expiration: Optional expiration date
- Click Create
- Copy the key immediately - it won't be shown again!
API keys must be sent in the Authorization header with the Bearer scheme:
Authorization: Bearer YOUR_API_KEY_HEREcurl -X POST https://spoo.me/api/v1/shorten \
-H "Authorization: Bearer spoo_AbCdEfGhIjKlMnOpQrStUvWxYz" \
-H "Content-Type: application/json" \
-d '{
"long_url": "https://example.com/very/long/url",
"alias": "mylink"
}'curl -X GET "https://spoo.me/api/v1/stats?scope=all" \
-H "Authorization: Bearer spoo_AbCdEfGhIjKlMnOpQrStUvWxYz"curl -X GET "https://spoo.me/api/v1/urls?page=1&pageSize=20" \
-H "Authorization: Bearer spoo_AbCdEfGhIjKlMnOpQrStUvWxYz"API keys grant authenticated rate limits, which are significantly higher than anonymous limits:
- **60 requests/minute** - **5000 requests/day** - Access to management endpoints - Private stats support - **20 requests/minute** - **1000 requests/day** - Cannot manage URLs - Public URLs only - Use environment variables, not hardcoded values - Never commit keys to version control - Use `.gitignore` to exclude files containing keys - Grant only the permissions needed - Create separate keys for different purposes - Use `shorten:create` for simple automation, not `admin:all` - Set expiration dates on keys - Rotate keys every 90-180 days - Revoke old keys after rotation **20 keys per user**Only non-revoked keys count toward this limit.
Prevents abuse and key spam.
**Solution**: Verify the key is active and correctly formatted.
**Solution**: Check that your key has the required scopes for the endpoint.
**Solution**: Implement exponential backoff, cache results, or upgrade your rate limits.
**Solution**: Create a new API key if you lost the original.
graph LR
A[Create Key] --> B[Active Key]
B --> C[Use in Requests]
C --> D{Key Valid?}
D -->|Yes| E[Request Succeeds]
D -->|No| F[401 Unauthorized]
B --> G[Revoke/Delete]
G --> H[Key Inactive]