Skip to main content
DrapierDrapier

Authentication

Authenticate with Drapier API using JWT tokens or API keys.

Drapier supports two authentication methods depending on your use case.

MethodUse caseFormat
API keyProgrammatic access (feeds, commissions, deep links)sk_live_... or sk_test_...
JWT tokenPublisher portal sessions (browser-based)Short-lived token from /auth/login

For most integrations, you'll use an API key.

API key authentication

Finding your API key

  1. Log in to the publisher dashboard.
  2. Navigate to Settings → API Keys.
  3. Copy the key that starts with sk_live_.

Test keys (sk_test_) are available for sandbox environments and do not generate real commissions.

Using the API key

Pass your API key in the Authorization header as a Bearer token on every request:

curl -H "Authorization: Bearer sk_live_abc123..." \
  https://api.drapier.io/api/v1/commissions/me

Example: fetch your publisher profile

curl -s -H "Authorization: Bearer sk_live_abc123..." \
  https://api.drapier.io/api/v1/publishers/me
{
  "id": "pub_8xk2m9",
  "name": "Luxury Fashion Blog",
  "email": "partner@example.com",
  "status": "ACTIVE",
  "createdAt": "2025-11-15T10:30:00Z"
}

Error responses

If your key is missing, invalid, or expired, the API returns a 401:

{
  "statusCode": 401,
  "message": "Invalid or expired API key",
  "error": "Unauthorized"
}

JWT authentication

JWT tokens are used internally by the publisher portal. If you're building a custom frontend that authenticates users via email and password, you can obtain a token from the login endpoint:

curl -X POST \
  -H "Content-Type: application/json" \
  -d '{"email": "partner@example.com", "password": "..."}' \
  https://api.drapier.io/api/v1/auth/login
{
  "accessToken": "eyJhbGciOiJSUzI1NiIs...",
  "expiresIn": 3600
}

Pass the token the same way:

curl -H "Authorization: Bearer eyJhbGciOiJSUzI1NiIs..." \
  https://api.drapier.io/api/v1/publishers/me

JWT tokens expire after 1 hour. For server-to-server integrations, use an API key instead.

Rate limiting

All API endpoints enforce a rate limit of 100 requests per minute per API key.

When you exceed the limit, the API returns a 429 status with a Retry-After header indicating how many seconds to wait:

HTTP/1.1 429 Too Many Requests
Retry-After: 12
Content-Type: application/json

{
  "statusCode": 429,
  "message": "Rate limit exceeded. Try again in 12 seconds.",
  "error": "Too Many Requests"
}

Recommendations:

  • Cache responses where possible (product feeds, publisher profile).
  • Use exponential backoff when retrying after a 429.
  • Batch operations where the API supports it.

Security best practices

Never expose your API key in client-side code, public repositories, or browser network requests.

  • Use environment variables — Store your API key in an environment variable (DRAPIER_API_KEY) rather than hardcoding it.
  • Restrict access — Only share your key with systems that need it. Use separate keys for different environments.
  • Rotate regularly — Generate a new API key from the dashboard periodically. Old keys can be revoked immediately.
  • Server-side only — All API calls should originate from your backend. Never call Drapier API from a browser.
  • Monitor usage — Check the dashboard for unexpected spikes in API usage that could indicate a leaked key.

If you believe your API key has been compromised, revoke it immediately from Settings → API Keys and generate a new one.

On this page

API key authenticationFinding your API keyUsing the API keyExample: fetch your publisher profileError responsesJWT authenticationRate limitingSecurity best practices