API Authentication

All API requests require a valid API key

Every request to the AWSYS.CO API must include an Authorization header using the Bearer token scheme. There are no cookies or session-based authentication methods for API access.

Generating an API Key

API keys are generated from your account dashboard:

  1. Sign in to your AWSYS.CO account
  2. Navigate to Settings → API
  3. Click Generate new key
  4. Copy and store your key immediately — it is shown only once

Store it securely. Your API key is displayed only once at generation time. If you lose it, you must revoke it and generate a new one.

Request Header Format

Include the API key in every request using the Authorization header:

Authorization: Bearer awsys_live_xxxxxxxxxxxxxxxxxxxx

Full curl example

curl -X POST https://awsys.co/api/createShort \
  -H "Authorization: Bearer awsys_live_xxxxxxxxxxxxxxxxxxxx" \
  -H "Content-Type: application/json" \
  -d '{"long": "aHR0cHM6Ly9leGFtcGxlLmNvbQ=="}'

API Key Types

Prefix Environment Use case
awsys_live_... Production All production API calls on https://awsys.co

Security Best Practices

  • Never expose your API key in client-side JavaScript. Anyone who obtains your key can create links and read analytics under your account.
  • Use environment variables. Store keys in .env files or your CI/CD secrets manager, never in source code.
  • Rotate immediately if compromised. Revoke the affected key in Settings → API and generate a replacement.
  • One key per application. Use separate keys for different services so you can revoke a single one without disrupting others.

Example: environment variable pattern

# .env (never commit this file)
AWSYS_API_KEY=awsys_live_xxxxxxxxxxxxxxxxxxxx
// Node.js
const response = await fetch('https://awsys.co/api/createShort', {
  method: 'POST',
  headers: {
    'Authorization': `Bearer ${process.env.AWSYS_API_KEY}`,
    'Content-Type': 'application/json',
  },
  body: JSON.stringify({ long: btoa('https://example.com') }),
});

Authentication Errors

If your API key is missing, malformed, or invalid, you will receive a 401 response:

HTTP/1.1 401 Unauthorized
{
  "error": "Unauthorized",
  "code": "INVALID_TOKEN"
}

If your key is valid but lacks permission for the requested operation, you will receive a 403 response:

HTTP/1.1 403 Forbidden
{
  "error": "Forbidden",
  "code": "UNAUTHORIZED"
}

See the Error Reference for a full list of error codes.