Authentication
All API requests must be authenticated using a bearer token in the Authorization header.
Bearer token authentication
Include your API key in the Authorization header of every request:
Authorization: Bearer offly_sk_live_...Creating API keys
Navigate to Settings → API Keys in the Offly app and click Create API Key. Give it a descriptive name and select the scopes you need. Copy the key immediately — it won't be shown again.
Keys follow the format: offly_sk_live_...
Example authenticated request
Here's how to make an authenticated request to list users:
curl https://api.offly.net/api/v1/users \
-H "Authorization: Bearer offly_sk_live_abc123..."Keeping keys secure
⚠️ Security warning
Never expose API keys in frontend code, public repositories, or client-side applications. Only use API keys from backend systems and server-side code.
- •Store keys in environment variables or a secrets manager
- •Never commit keys to version control
- •Use the minimum scopes necessary for your use case
- •Rotate keys periodically and after any suspected compromise
Rotating keys
To rotate a key, create a new one in Settings → API Keys, update your systems to use the new key, then revoke the old one. This ensures zero downtime during rotation.
Revoking keys
To revoke a key, go to Settings → API Keys, find the key, and click Revoke. The key will immediately stop working. Any requests made with a revoked key will receive a 401 Unauthorized response.