API Keys

Generate, list, and revoke creator API keys for external integrations.

Base URLs:

Production: https://fangate.info/api
Development: https://fangate.co/api

Overview

Current scope includes only:

create key
list keys
revoke key

Not included for now:

rotate key
rename key
expiry scheduler/cleanup job

Authentication uses bearer tokens:

Authorization: Bearer <api_key>

Generated keys are stored hashed by Sanctum and the plaintext token is shown only once at create time.

Scope matrix

Fixed behavior:

get_existing_urls -> always ON
get_existing_collection_urls -> always ON
view_account_settings -> always OFF (hard blocked)
create_new_urls -> toggle
view_transactions -> toggle

Endpoint permission matrix

Generated API keys are whitelist-only:

Endpoint	Method	Required ability	Behavior
`/api/products`	`GET`	`api-key:urls.read`	Allowed
`/api/products/collection`	`GET`	`api-key:collection-urls.read`	Allowed
`/api/products`	`POST`	`api-key:urls.write`	Allowed if `create_new_urls=true`
`/api/products/{product}`	`PATCH`	`api-key:urls.write`	Allowed if `create_new_urls=true` (metadata edit)
`/api/products/{product}/price`	`PATCH`	`api-key:urls.write`	Allowed if `create_new_urls=true` (update existing link price)
`/api/products/{product}/price-links`	`POST`	`api-key:urls.write`	Allowed if `create_new_urls=true` (create new link with new price)
`/api/products/{product}`	`DELETE`	`api-key:urls.write`	Allowed if `create_new_urls=true`
`/api/products/media/{media}`	`DELETE`	`api-key:urls.write`	Allowed if `create_new_urls=true`
`/api/upload-sessions*`	`GET/POST/DELETE`	`api-key:urls.write`	Allowed if `create_new_urls=true`
`/api/wallet`	`GET`	`api-key:transactions.read`	Allowed if `view_transactions=true`
`/api/wallet/affiliate`	`GET`	`api-key:transactions.read`	Allowed if `view_transactions=true`
`/api/user`	`GET`	N/A	Hard blocked for generated API keys
`/api/user/{user}`	`PATCH`	N/A	Hard blocked for generated API keys
`/api/user`	`DELETE`	N/A	Hard blocked for generated API keys

Any non-whitelisted API route returns 403.

Rate limits

API key management endpoints use combined limits:

Per token (fallback user) + IP
Per IP guardrail

Current limits:

Endpoint	Per token/user + IP	Per IP
`POST /api/user/api-keys`	10/min	30/min
`GET /api/user/api-keys`	30/min	60/min
`DELETE /api/user/api-keys/{tokenId}`	30/min	60/min

GET /api/user/api-keys

List generated API keys for the authenticated creator.

Auth required: Yes

Example response

json

{
  "success": true,
  "errors_message": null,
  "data": [
    {
      "id": 14,
      "name": "fangate-api-key:zapier",
      "last_used_at": "2026-04-25T08:30:00Z",
      "expires_at": null,
      "created_at": "2026-04-25T08:00:00Z",
      "abilities": [
        "api-key:urls.read",
        "api-key:collection-urls.read",
        "api-key:urls.write"
      ]
    }
  ]
}

POST /api/user/api-keys

Create a generated API key.

Auth required: Yes
Content type: application/json

Request body

Field	Type	Required	Notes
`name`	string	Yes	Label used for token name prefix `fangate-api-key:`
`can_create_new_urls`	boolean	No	Enables `api-key:urls.write`
`can_view_transactions`	boolean	No	Enables `api-key:transactions.read`
`expires_in_days`	integer	No	Optional explicit expiry

Example request

bash

curl -X POST https://fangate.info/api/user/api-keys \
  -H "Authorization: Bearer <creator-token>" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "zapier",
    "can_create_new_urls": true,
    "can_view_transactions": false,
    "expires_in_days": 90
  }'

Example response

json

{
  "success": true,
  "errors_message": null,
  "data": {
    "token": "1|plain-text-token",
    "name": "fangate-api-key:zapier",
    "expires_at": "2026-07-24T08:00:00Z",
    "permissions": {
      "get_existing_urls": true,
      "get_existing_collection_urls": true,
      "create_new_urls": true,
      "view_transactions": false,
      "view_account_settings": false
    }
  }
}

DELETE /api/user/api-keys/

Revoke a generated API key by token id.

Auth required: Yes

Example response

json

{
  "success": true,
  "errors_message": null,
  "data": "API key revoked"
}

Security notes

API key plaintext is returned once on creation only.
Hashed storage + one-time display is considered acceptable for current phase.
last_used_at from Sanctum is used as minimal audit trail for now.
Single auth format is used for API keys: Authorization: Bearer <api_key>.
No key-expiry scheduler is configured for now.

API Keys ​

Overview ​

Scope matrix ​

Endpoint permission matrix ​

Rate limits ​

GET /api/user/api-keys ​

Example response ​

POST /api/user/api-keys ​

Request body ​

Example request ​

Example response ​

DELETE /api/user/api-keys/ ​

Example response ​

Security notes ​

API Keys

Overview

Scope matrix

Endpoint permission matrix

Rate limits

GET /api/user/api-keys

Example response

POST /api/user/api-keys

Request body

Example request

Example response

DELETE /api/user/api-keys/

Example response

Security notes