Skip to main content
API keys let you shorten URLs, create custom slugs, and manage your links from any application or script without using the browser dashboard. Each key is tied to your account and authenticates your requests to the Shorturlx REST API.
Never expose your API key in client-side code, public repositories, or anywhere it could be read by others. If a key is compromised, revoke it immediately from your dashboard and generate a new one.

Generating an API key

1

Open your account dashboard

Sign in to Shorturlx and navigate to your dashboard.
2

Go to API key management

Select API Key Management from the dashboard navigation.
3

Create a new key

Click Create new key. Enter a descriptive name so you can identify the key later (for example, CI pipeline or Personal scripts).
4

Set an optional expiration

Choose an expiry period from the dropdown: 7 days, 30 days, 90 days, 1 year, or Never expires. You can always revoke a key manually before it expires.
5

Copy the key

The full key is displayed once, immediately after creation. Copy it and store it somewhere secure — you will not be able to see the full key value again.

Key format

Every API key follows this format: 
sk_<48 hex characters>
For example: 
sk_a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6
The key is generated using crypto.randomBytes(24), giving 192 bits of entropy.

Key lifecycle

StatusDescription
ActiveThe key is valid and can authenticate API requests
ExpiredThe expiresAt date has passed; the key is no longer accepted
RevokedYou manually revoked the key; it is no longer accepted
Expired and revoked keys are not deleted from the database, but they are rejected by the API. Revoked keys do not reappear in your active key list.

Using your API key

Include your API key in the Authorization header of every request using the Bearer scheme. 
curl --request POST \
  --url https://www.shorturlx.xyz/api/shorten \
  --header "Authorization: Bearer sk_your_api_key_here" \
  --header "Content-Type: application/json" \
  --data '{"url": "https://example.com/long-url"}'

Rate limits

Authenticated requests (those that include a valid API key) are limited to 100 requests per 10 minutes. Unauthenticated requests are limited to 10 requests per 10 minutes. When you exceed the limit, the API responds with 429 Too Many Requests. The response includes rate limit headers so you can track your usage:
HeaderDescription
X-RateLimit-LimitMaximum requests allowed in the window
X-RateLimit-RemainingRequests remaining in the current window
X-RateLimit-ResetUnix timestamp (ms) when the window resets

Security best practices

Store your API key in an environment variable and read it at runtime. Never hard-code it in source files. 
# Set in your environment
export SHORTURLX_API_KEY="sk_your_api_key_here"
JavaScript
const apiKey = process.env.SHORTURLX_API_KEY;
Python
import os
api_key = os.environ["SHORTURLX_API_KEY"]

Revoking a key

To revoke a key, go to API Key Management in your dashboard, find the key by name, and click Revoke. The key is immediately invalidated and will be rejected on any subsequent request.

Next steps

API reference

Full documentation for all available endpoints.

Authentication

Details on how API key authentication works.

Rate limits

Understand rate limit windows and response headers.

Custom slugs

Use the API to create branded short links.

Build docs developers (and LLMs) love

Get started for freeTalk to us