Authentication

AttractOS uses Bearer token authentication for API requests. Include your API key in the Authorization header as Bearer YOUR_API_KEY. API keys can be created and managed in your dashboard under Settings > API Keys.

API Keys vs Site Keys

AttractOS uses two types of keys:

Site Key (ak_...)
Used in the client-side tracking script. Safe to expose publicly. Identifies which site tracking data belongs to.
API Key
Used for server-side API access. Keep this secret. Provides access to read your analytics data via the REST API.

Creating an API Key

  1. Go to your Dashboard Settings
  2. Click API Keys in the sidebar
  3. Click Generate New Key
  4. Give your key a descriptive name (e.g., "Production Server")
  5. Copy the key immediately—it won't be shown again

Using Your API Key

Include your API key in the Authorization header for all API requests:

Authentication 
curl -X GET "https://attractos.com/api/v1/sites" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json"
// Using fetch
const response = await fetch('https://attractos.com/api/v1/sites', {
  headers: {
    'Authorization': 'Bearer YOUR_API_KEY',
    'Content-Type': 'application/json',
  },
});

const data = await response.json();
console.log(data.sites);
import requests

response = requests.get(
    'https://attractos.com/api/v1/sites',
    headers={
        'Authorization': 'Bearer YOUR_API_KEY',
        'Content-Type': 'application/json',
    }
)

data = response.json()
print(data['sites'])

Authentication Errors

If authentication fails, you'll receive one of these error responses:

401
MISSING_KEY

No Authorization header provided

401
INVALID_KEY

API key is invalid or has been revoked

403
SITE_NOT_FOUND

Valid key, but you don't have access to the requested site

Security Best Practices

  • Never expose API keys in client-side code — Only use site keys in the browser
  • Use environment variables — Store API keys in .env files, not in source code
  • Rotate keys periodically — Generate new keys and revoke old ones every few months
  • Use separate keys per environment — Different keys for development, staging, and production
  • Monitor API usage — Check your dashboard for unexpected API activity

Frequently Asked Questions

Can I use the same API key across multiple projects?
Yes, but we recommend creating separate API keys for different projects or environments. This makes it easier to rotate keys and track API usage per project.
What happens if my API key is compromised?
Immediately revoke the key from your dashboard under Settings > API Keys. Generate a new key and update your applications. Revoked keys stop working immediately.
Do API keys expire?
No, API keys do not expire automatically. However, you can revoke them at any time from your dashboard. We recommend rotating keys periodically as a security best practice.
Is there a difference between site keys and API keys?
Site keys (starting with ak_) are used in the client-side tracking script and are safe to expose publicly. API keys are used for server-side API access and should be kept secret.
Bot Traffic by AttractOS