Authentication
Every API request requires an X-API-Key header.
Getting a key
Section titled “Getting a key”- Sign in to qck.sh/app
- Navigate to API
- Click Create API Key
- Copy it (shown only once)
Keys start with qck_ and are 32 characters long.
curl https://qck.sh/public-api/v1/links \ -H "X-API-Key: qck_your_api_key_here"const res = await fetch('https://qck.sh/public-api/v1/links', { headers: { 'X-API-Key': 'qck_your_api_key_here' },});import requestsres = requests.get( 'https://qck.sh/public-api/v1/links', headers={'X-API-Key': 'qck_your_api_key_here'})Permissions
Section titled “Permissions”Each key has granular scopes. Assign only what you need:
| Permission | Access |
|---|---|
links:read | List and get links |
links:write | Create and update links |
links:delete | Delete links |
analytics:read | Query click analytics |
domains:read | List custom domains |
domains:write | Create and manage custom domains |
webhooks:read | List webhooks and deliveries |
webhooks:write | Create, update, delete webhooks |
conversions:read | Query conversion data |
journey:read | Query journey sessions and events |
journey:write | Ingest journey events |
IP allowlists
Section titled “IP allowlists”Restrict a key to specific IPs. Requests from other IPs get 403 Forbidden.
Key limits by tier
Section titled “Key limits by tier”| Tier | Keys |
|---|---|
| Free | 1 |
| Basic ($19/mo) | 3 |
| Growth ($49/mo) | 10 |
| Pro ($99/mo) | 25 |
| Business ($249/mo) | 50 |
Security
Section titled “Security”- Keys are stored as SHA-256 hashes, never in plaintext
- The full key is shown only once at creation
- Revoked keys are immediately invalidated