Authentication
All Plugin API requests are authenticated with a per-server API key. Keys are bearer credentials — anyone who has the key can act as that Server.
Sending the key
SimpleLinks accepts the API key in three places, in order of preference:
X-API-Keyheader (recommended)Authorization: Bearer <key>headersecretquery parameter (legacy compatibility; avoid for new integrations)
# Preferred
curl "https://simplelinks.cc/api?action=count" \
-H "X-API-Key: sl_live_…"
# Bearer alternative
curl "https://simplelinks.cc/api?action=count" \
-H "Authorization: Bearer sl_live_…"Key format
Production keys begin with sl_live_ followed by 48 hex characters. The key prefix (first 12 chars) is safe to log; the full key is hashed at rest and only retrievable from the dashboard until the next regenerate.
Key lifecycle
- Auto-mint: created with the Server, never expires.
- Regenerate: rotates the key in place. The old key fails immediately on the next request.
- No delete: the key only disappears when the Server itself is deleted. This is intentional — one Server, one permanent key slot.
If a key leaks, regenerate immediately. Then update your Rust/Oxide plugin config or environment variables and reload the plugin.
Errors
| Code | Meaning | Fix |
|---|---|---|
| 401 | Missing or invalid key | Check header spelling and key value. |
| 403 | Key revoked or server inactive | Regenerate or re-enable in dashboard. |
| 429 | Rate-limited | See Rate Limits. |