The dashboard exists because most of our customers run small campaigns and the click-through-a-form flow is fine. But once you are running a creator program with 200 sub-IDs, or shipping a new App Store release every two weeks, you want the link layer to be something you can terraform apply.

01Authentication

API keys are issued from the dashboard, scoped to your workspace, and either read or read-write. Read keys come with Pro. Read-write keys come with Team. Every request needs Authorization: Bearer <key>. Keys can be rotated, named, and revoked individually. We log every API call against the key so you can see who did what.

Recommended

Issue a separate key per CI pipeline, per environment, and per integration. Granular keys make rotation painless and audit logs readable.

02What the API can do

There are four resources at v1. They each support the obvious CRUD verbs plus a small set of resource-specific endpoints:

  • /v1/links — create, list, get, update, delete. Plus POST /v1/links/batch for up to 1,000 at once.
  • /v1/clicks — list-only, filterable by link, date range, country, OS, and UTM. Paginated cursors.
  • /v1/qr/{link_id} — fetch the QR for a link as PNG, SVG, or PDF.
  • /v1/webhooks — register, list, rotate the signing secret, delete.

03The official SDKs

We ship official SDKs for four languages. They are thin wrappers — the same resource verbs, with typed responses and retry-with-backoff baked in. None of them adds new endpoints the raw API does not have.

  1. Node@approute/node on npm, ESM and CJS, TypeScript types first-class.
  2. Pythonapproute on PyPI, sync and async (httpx) clients.
  3. Gogithub.com/approute/approute-go, context-aware, no third-party deps.
  4. Rubyapproute on RubyGems, autoload-friendly.

All four are MIT licensed and on GitHub. If you want a language we do not have, the OpenAPI spec at getapproute.com/api/openapi.json generates passable clients in most ecosystems.

04Webhooks worth subscribing to

Three events are stable today:

  • link.created — fires after a successful create. Useful for syncing into your CRM or warehouse.
  • link.click_threshold — fires when a link crosses a click count you configured. Good for paging on launch days.
  • link.password_failed — fires after N failed password attempts in a window. Good for security automation.

Every payload is signed with an HMAC over the body using your webhook's signing secret. The signature is in X-Approute-Signature. We retry on non-2xx for up to 24 hours with exponential backoff.

05What you should not automate

Two things, both learned the hard way:

  1. Slug generation from titles. Auto-slugging a campaign title is fine right up until the title is Launch!!! Final. Slugs are part of your URL. Treat them like git branch names.
  2. Bulk deletes triggered by a sync job. If your CRM goes down, your link inventory should not vanish. Always soft-delete, always require a manual confirm above some threshold.

Full reference is at /docs/api and the OpenAPI spec is the source of truth — if the docs and the spec disagree, trust the spec, then file an issue and we will fix the docs.