Getting Started Local Runtime Checklist

Business Guide Campaign Lifecycle API Keys and Security

User Guide Rewards and Claims

Developer Integration SDK Quickstart API Reference Events and Idempotency

System Architecture Runtime Flow Data Model

Advanced Concepts Operations Runbook Failure Modes

Business Guide

API Keys and Security

How business API keys are validated and safely used in integrations.

Accepted Credential Formats

SDK endpoints accept API keys via:

x-refkit-api-key
x-api-key
Authorization: Bearer <key>

Origin Restrictions

If a key has allowedOrigins configured, requests are rejected unless origin/referer matches one of the allowed origins.

Key Lifecycle Endpoints

Create key: POST /business/api-keys
Rotate key: POST /business/api-keys/:apiKeyId/rotate
Revoke key: DELETE /business/api-keys/:apiKeyId

Revoked keys are blocked immediately during middleware validation.

Operational Guidance

Use TEST environment keys outside production.
Keep key rotation part of deployment hygiene.
Avoid exposing long-lived LIVE keys in client-only bundles without origin restrictions.

Campaign Lifecycle

End-to-end lifecycle from funding verification to reward payout readiness.

User Guide

User-facing referral code management and referral activity views.

On this page

Accepted Credential Formats Origin Restrictions Key Lifecycle Endpoints Operational Guidance