Skip to content
GhostFlow API

Authentication

API Keys

Section titled “API Keys”

GhostFlow uses API keys prefixed with gf_ for programmatic access. Keys are passed via the Authorization header using the Bearer scheme:

Terminal window
Authorization: Bearer gf_abc123def456...

Creating API Keys

Section titled “Creating API Keys”

Generate keys from the Settings → API Keys page in your dashboard, or programmatically:

Terminal window
curl -X POST https://devcore.getghostflow.io/api/v1/auth/api-keys \
  -H "Authorization: Bearer YOUR_JWT_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Production Key",
    "permissions": ["read:campaigns", "write:campaigns", "read:stats"]
  }'

Permissions (Scopes)

Section titled “Permissions (Scopes)”

Each API key can be scoped to specific permissions. Scopes follow the action:resource pattern:

ScopeDescription
read:campaignsList and view campaigns
write:campaignsCreate, update, delete campaigns
read:domainsList and view domains
write:domainsCreate, update, delete domains
read:offersList and view offers
write:offersCreate, update, delete offers
read:sourcesList and view traffic sources
write:sourcesCreate, update, delete sources
read:networksList and view affiliate networks
write:networksCreate, update, delete networks
read:statsAccess statistics and reports
read:billingView subscription and billing info
adminFull administrative access

Legacy permissions (read, write, admin) are still supported and automatically expanded:

  • read → all read:* scopes
  • write → all read:* + write:* scopes
  • admin → all scopes

Key Management

Section titled “Key Management”
ActionEndpointMethod
List keys/api/v1/auth/api-keysGET
Create key/api/v1/auth/api-keysPOST
Delete key/api/v1/auth/api-keys/{id}DELETE
Revoke key/api/v1/auth/api-keys/{id}/revokePUT
Regenerate key/api/v1/auth/api-keys/{id}/regeneratePOST
Audit log/api/v1/auth/api-keys/{id}/audit-logGET

Security Best Practices

Section titled “Security Best Practices”
  1. Use least-privilege scopes — Only grant the permissions each integration needs
  2. Rotate keys regularly — Use the regenerate endpoint to get a new secret
  3. Never commit keys — Use environment variables or secret managers
  4. Monitor usage — Check the audit log for unexpected API activity
  5. Revoke compromised keys immediately — Revoking is instant and cannot be undone

JWT Tokens

Section titled “JWT Tokens”

For browser-based access (dashboard), GhostFlow uses short-lived JWT access tokens with refresh token rotation. API keys are preferred for server-to-server integrations.