Home Developer Reference API Keys & Authentication

API Keys & Authentication

Last updated on Apr 09, 2026

API keys & authentication

The Edge API trusts signed requests from your LinkMe app credentials. Keys are issued and managed inside the Portal so you can rotate them without rebuilding the SDKs.

API access is available on paid plans. On the Free plan, requests are rejected with error: paid_plan_required and upgrade_url: https://li-nk.me/portal/account.

Create and rotate keys in the Portal, then pair this page with the pricing overview if you are deciding which plan should hold production domains, team seats, and automation workflows.

Key types

Key type Use case Capabilities
App API Key Bundled with a specific app and used by SDKs to resolve links or claim deferred payloads. can_read by default; optionally granted can_write for server-side automation.
Server/API Key Generated per workspace for CLI scripts or backend jobs (create links, sync metadata). Typically can_write; protect it like any other secret.

Each key stores:

  • appId – immutable identifier for the app/workspace.
  • appKey – secret value you send as x-api-key.
  • Capability flags (can_read, can_write).
  • Optional expiry and label so you remember why it exists.

Sending credentials

SDK endpoints accept lightweight headers, while admin APIs additionally support a Bearer token when you are automating from a trusted server.

GET /api/deeplink?cid=abc123 HTTP/1.1
Host: li-nk.me
x-app-id: YOUR_APP_ID
x-api-key: YOUR_APP_KEY

For write operations (creating links, rotating domains) use your server/API key and the Authorization header:

curl https://li-nk.me/api/links \ 
  -H 'Authorization: Bearer sk_live_...' \ 
  -H 'Content-Type: application/json' \ 
  -d '{"slug":"spring","ios_store_url":"https://apps.apple.com/..."}'

Rotation & hygiene

  1. Name keys clearly – include the environment, app, and purpose so you know what to delete later.
  2. Avoid embedding write keys in mobile apps – SDKs should only ship read scopes; keep write access on servers.
  3. Rotate on a schedule – create a new key, deploy it, then remove the old one in Portal.
  4. Monitor usage – Portal shows last used timestamps; revoke anything that looks idle or unexpected.

Pair this page with the REST Endpoints & OpenAPI doc to understand how the credentials interact with the rest of the system. Contact support if you need deeper architectural artifacts for vendor reviews.

If you are validating end-to-end routing after creating keys, the Universal Links Validator and developer setup overview are the fastest next steps.

For Model Context Protocol integrations, follow the MCP Security & Access Model so tooling remains scoped to normal REST permissions.