Server SDK
Authentication
Secure your API requests with private API keys
The useLoyalty API uses API key authentication to secure all requests. Each project has unique API keys that identify and authorize requests.
API Key Types
| Type | Prefix | Usage |
|---|---|---|
| Private Key | sk_ | Server-side SDK calls (full access) |
| Public Key | pk_ | Widget initialization only |
Never expose your private API key (sk_) in client-side code. Use it only in
server-to-server communication.
Getting Your API Keys
- Navigate to your project dashboard
- Go to Settings → API Keys
- Copy your private key for server-side use
Authentication Methods
Bearer Token (Recommended)
Include your API key in the Authorization header:
curl -X GET https://app.useloyalty.app/api/v1/members \
-H "Authorization: Bearer sk_your_private_key"X-API-Key Header
Alternatively, use the X-API-Key header:
curl -X GET https://app.useloyalty.app/api/v1/members \
-H "X-API-Key: sk_your_private_key"Code Examples
Node.js / TypeScript
const USELOYALTY_API_KEY = process.env.USELOYALTY_API_KEY;
const USELOYALTY_API_URL = "https://app.useloyalty.app/api/v1";
async function useLoyaltyRequest(endpoint: string, options: RequestInit = {}) {
const response = await fetch(`${USELOYALTY_API_URL}${endpoint}`, {
...options,
headers: {
Authorization: `Bearer ${USELOYALTY_API_KEY}`,
"Content-Type": "application/json",
...options.headers,
},
});
if (!response.ok) {
const error = await response.json();
throw new Error(error.message || "API request failed");
}
return response.json();
}
// Usage
const members = await useLoyaltyRequest("/members");Python
import requests
import os
USELOYALTY_API_KEY = os.environ.get('USELOYALTY_API_KEY')
USELOYALTY_API_URL = 'https://app.useloyalty.app/api/v1'
def useloyalty_request(endpoint, method='GET', data=None):
headers = {
'Authorization': f'Bearer {USELOYALTY_API_KEY}',
'Content-Type': 'application/json'
}
response = requests.request(
method,
f'{USELOYALTY_API_URL}{endpoint}',
headers=headers,
json=data
)
response.raise_for_status()
return response.json()
# Usage
members = useloyalty_request('/members')PHP
<?php
$apiKey = getenv('USELOYALTY_API_KEY');
$apiUrl = 'https://app.useloyalty.app/api/v1';
function useLoyaltyRequest($endpoint, $method = 'GET', $data = null) {
global $apiKey, $apiUrl;
$ch = curl_init($apiUrl . $endpoint);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, [
'Authorization: Bearer ' . $apiKey,
'Content-Type: application/json'
]);
if ($method === 'POST') {
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($data));
}
$response = curl_exec($ch);
curl_close($ch);
return json_decode($response, true);
}
// Usage
$members = useLoyaltyRequest('/members');API Key Security
Best Practices
- Environment Variables: Store keys in environment variables, never in code
- Server-Side Only: Never expose private keys to browsers
- Rotate Regularly: Rotate keys periodically and after team changes
- Least Privilege: Use separate keys for different environments
Key Rotation
When you need to rotate an API key:
- Generate a new key from the dashboard
- Update your application to use the new key
- Revoke the old key once migration is complete
Authentication Errors
| Status | Error | Solution |
|---|---|---|
401 | Missing API key | Include Authorization header |
401 | Invalid API key | Check key is correct and not revoked |
401 | API key expired | Generate a new key from dashboard |
403 | Insufficient permissions | Use a private key for this operation |
{
"error": "Unauthorized",
"message": "Invalid or missing API key"
}Testing Authentication
Verify your API key is working:
curl -X GET https://app.useloyalty.app/api/v1/members \
-H "Authorization: Bearer sk_your_private_key"A successful response confirms your authentication is configured correctly.