Skip to main content
The Quickleap API uses Bearer token authentication to secure all API requests. You must include a valid authentication token in the Authorization header of every request.

Authentication method

Quickleap uses Bearer token authentication. All API requests must include an Authorization header with your token: 
Authorization: Bearer YOUR_TOKEN
The API client automatically includes credentials with every request (withCredentials: true) and supports cookie-based authentication for browser environments.

Obtaining your API token

To get your API token:
  1. Log in to your Quickleap dashboard
  2. Navigate to SettingsAPI Tokens
  3. Click Generate New Token
  4. Copy and securely store your token
Your API token grants full access to your account. Never share it publicly or commit it to version control. If your token is compromised, regenerate it immediately from your dashboard.

Making authenticated requests

Include your token in the Authorization header of every API request: 
const token = 'your_api_token_here';

const response = await fetch('https://api.quickleap.io/get-redirects/me', {
  method: 'GET',
  headers: {
    'Authorization': `Bearer ${token}`,
    'Content-Type': 'application/json'
  },
  credentials: 'include' // Include cookies
});

const redirects = await response.json();
console.log(redirects);

Authentication errors

The API returns specific error codes for authentication failures:

Missing token

If you don’t include an Authorization header, you’ll receive a 401 Unauthorized response: 
{
  "error": {
    "message": "Authentication required",
    "code": "MISSING_TOKEN"
  }
}

Invalid token

If your token is invalid or malformed: 
{
  "error": {
    "message": "Invalid authentication token",
    "code": "INVALID_TOKEN"
  }
}

Expired token

If your token has expired: 
{
  "error": {
    "message": "Authentication token has expired",
    "code": "EXPIRED_TOKEN"
  }
}
When you receive an expired token error, obtain a new token from your dashboard or refresh your authentication session.

Token storage best practices

Server-side applications

For server-side applications, store your API token securely using environment variables: 
// .env file (never commit this!)
QUICKLEAP_API_TOKEN=your_token_here

// Your application code
require('dotenv').config();

const token = process.env.QUICKLEAP_API_TOKEN;

const response = await fetch('https://api.quickleap.io/get-redirects/me', {
  headers: {
    'Authorization': `Bearer ${token}`,
    'Content-Type': 'application/json'
  }
});

Client-side applications

For browser-based applications, the Quickleap API supports cookie-based authentication. The client automatically includes cookies with requests when withCredentials: true is set.
For browser applications, consider using cookie-based authentication instead of storing tokens in localStorage to prevent XSS attacks.

CI/CD and automation

For CI/CD pipelines and automation scripts:
  1. Store tokens in your CI/CD platform’s secret management system
  2. Inject tokens as environment variables at runtime
  3. Never hardcode tokens in scripts or configuration files
  4. Use different tokens for different environments (development, staging, production)

Request interceptors

The Quickleap API client includes request interceptors that:
  1. Automatically add tokens - Tokens from cookies are added to every request
  2. Trim data - Request data is automatically trimmed of whitespace
  3. Set headers - Content-Type and custom headers are automatically configured
Example interceptor implementation: 
import axios from 'axios';
import Cookies from 'js-cookie';

const client = axios.create({
  baseURL: 'https://api.quickleap.io',
  headers: {
    'Content-Type': 'application/json'
  },
  timeout: 60000,
  withCredentials: true
});

// Add token from cookie to every request
client.interceptors.request.use(async (config) => {
  const token = Cookies.get('token');
  if (token) {
    config.headers.Authorization = `Bearer ${token}`;
  }
  return config;
});

export default client;

Security best practices

Use HTTPS only

Always use HTTPS for API requests. The Quickleap API rejects requests over HTTP.

Rotate tokens regularly

Regenerate your API tokens periodically to minimize security risks.

Use environment variables

Never hardcode tokens in your application code or commit them to version control.

Implement token refresh

Handle token expiration gracefully by implementing automatic token refresh logic.

Token permissions

API tokens have the same permissions as your user account. They can:
  • Create, read, update, and delete redirects
  • Access all analytics data
  • Manage rules and conditions
  • Modify account settings
There is no way to create tokens with limited scopes. Keep this in mind when sharing access or integrating with third-party services.

Revoking tokens

To revoke an API token:
  1. Go to SettingsAPI Tokens in your dashboard
  2. Find the token you want to revoke
  3. Click Revoke or Delete
Revoked tokens become invalid immediately and cannot be restored. Any applications using the revoked token will receive 401 Unauthorized errors.

Testing authentication

Test your authentication setup with a simple request: 
curl -X GET https://api.quickleap.io/get-redirects/me \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -v

Next steps

API overview

Learn about API resources and concepts

Redirects

Start managing redirects via API

Analytics

Access analytics data programmatically

Error handling

Handle API errors gracefully