Learn how to create and use API keys to authenticate requests to the Icodrip API.
The Icodrip API uses API keys for authentication. Every API request must include a valid API key in the Authorization header. API keys are scoped to an organization and inherit the organization's permissions and data access.
API keys are ideal for server-to-server communication. They should never be included in client-side code, browser JavaScript, or mobile apps. If you need to track events from the client, use the Icodrip SDK which uses a separate, limited-scope public key.
Icodrip supports multiple API keys per organization. This lets you create separate keys for different services or environments (production, staging, development) and rotate keys without downtime.
Navigate to Settings > API Keys in your dashboard. Click "Create API Key" and enter a descriptive name for the key (e.g., "Production Backend" or "Staging Server"). The name helps you identify the key's purpose later.
After creating the key, Icodrip displays the full key value exactly once. Copy it immediately and store it securely — you will not be able to see the full key again. Icodrip stores only a hashed version of the key in the database.
API keys follow the format ak_live_xxxxxxxxxxxx for production keys and ak_test_xxxxxxxxxxxx for test mode keys. The prefix helps you quickly identify whether a key is for production or testing.
Include your API key in the Authorization header of every API request using the Bearer scheme. For example: Authorization: Bearer ak_live_your_key_here. All API requests must be made over HTTPS — requests over plain HTTP are rejected.
Here is a basic example using fetch: make a GET request to https://api.icodrip.com/v1/affiliates with the Authorization header set. The API responds with JSON data containing the requested resource.
All API responses include standard HTTP status codes. A 200 indicates success, 401 means invalid or missing API key, 403 means the key does not have permission for the requested operation, and 429 means you have exceeded the rate limit.
API requests are rate limited to prevent abuse and ensure fair usage across all customers. The default rate limit is 100 requests per minute per API key. If you exceed this limit, the API returns a 429 Too Many Requests response.
The response includes rate limit headers: X-RateLimit-Limit (your limit), X-RateLimit-Remaining (requests remaining in the current window), and X-RateLimit-Reset (Unix timestamp when the window resets). Use these headers to implement client-side rate limit handling.
If you need higher rate limits for your use case, contact our support team. Agency plans include custom rate limits based on your specific requirements.
Never commit API keys to version control. Use environment variables to store keys and reference them in your code. Add your .env file to .gitignore to prevent accidental commits. If a key is accidentally exposed, revoke it immediately and create a new one.
Rotate your API keys periodically, especially if team members who had access leave the organization. Create a new key, update your services to use it, verify everything works, and then revoke the old key. This zero-downtime rotation prevents any service interruption.
Use separate API keys for each environment and service. If one key is compromised, you can revoke it without affecting other services. The audit log in your dashboard shows which API key was used for each request, making it easy to trace the source of any suspicious activity.