Skip to main content
Every request authenticates with an API key sent in the x-api-key header: 
curl https://api.stockly.com/v1/users \
  -H "x-api-key: sk_stockly_your_key_here"
Your API key identifies your app. You never pass an app id, and you can only ever read or act on your own app’s users and rewards — another app’s data is invisible to you.
Treat your API key like a password. Keep it server-side, never embed it in client apps or commit it to source control. If a key is exposed, revoke it from the dashboard and mint a new one.

Errors

A missing or invalid key returns 401: 
{
  "error": {
    "code": "unauthorized",
    "message": "Missing x-api-key header",
    "requestId": "f0e1d2c3-4b5a-6789-0abc-def012345678"
  }
}
See Errors for the full error format.