Authentication
OptSens uses two separate keys. Nothing visible to your website visitors grants access to the REST API:
| Credential | Type | Purpose | Visibility |
|---|---|---|---|
| Domain ID | Public | Embedded in the CDN script tag on your website | Visible to anyone visiting your site |
| REST API secret | Private | REST API v1 authentication | Shown once in the dashboard, never again |
Webhook deliveries are signed with a separate secret, issued per webhook when you create it. See Webhooks.
Generate a REST API secret
- Open Dashboard > API & Webhooks and switch to the REST API tab.
- Select Generate API Secret.
- Copy the secret immediately. It is shown only once.
- If you lose it, generate a new one. The old secret is invalidated immediately.
Send authenticated requests
Include the secret in every request with either header:
X-Api-Key: YOUR_API_SECRET
or
Authorization: Bearer YOUR_API_SECRET
Failure behavior
- A missing, invalid or inactive key always returns the same generic
401 Invalid API keyresponse. - The domain's subscription must be active and its plan must include API access.