API Authentication
Securely authenticate and authorize your API requests
Authentication Overview
Rewatched uses API keys for authentication. There are two types of keys depending on your use case:
SDK Key
Public key for client-side tracking (browser, mobile apps)
rw_sdk_abc123def456ghi789API Key
Secret key for server-side API calls (dashboard access, exports)
rw_api_xyz789abc456def123Security Warning: Never expose your API key in client-side code or public repositories. SDK keys are safe to use in browsers, but API keys must remain secret.
Getting Your API Keys
- Log in to your Rewatched dashboard
- Navigate to Settings → API Keys
- Your SDK key is shown for each application
- Click Generate API Key for server-side access
- Copy and securely store your keys
Tip: Store API keys in environment variables, not in your source code.
SDK Authentication (Client-Side)
Use your SDK key to initialize the analytics SDK in your application:
import rewatched from '@rewatched/analytics';
rewatched.init('rw_sdk_abc123def456ghi789', {
apiHost: 'https://api.rewatched.io',
autocapture: true
});
// Now you can track events
rewatched.capture('button_clicked', {
button: 'signup'
});The SDK key is validated against your configured domain whitelist for security.
API Authentication (Server-Side)
For server-side API calls, include your API key in the Authorization header:
curl https://api.rewatched.io/v1/events \
-H "Authorization: Bearer rw_api_xyz789abc456def123" \
-H "Content-Type: application/json" \
-d '{
"event": "purchase_completed",
"userId": "user_123",
"properties": {
"amount": 99.99,
"currency": "USD"
}
}'Node.js Example
const axios = require('axios');
const apiKey = process.env.REWATCHED_API_KEY;
async function trackEvent(event, userId, properties) {
const response = await axios.post(
'https://api.rewatched.io/v1/events',
{
event,
userId,
properties
},
{
headers: {
'Authorization': `Bearer ${apiKey}`,
'Content-Type': 'application/json'
}
}
);
return response.data;
}
// Usage
await trackEvent('purchase_completed', 'user_123', {
amount: 99.99,
currency: 'USD'
});Python Example
import requests
import os
api_key = os.getenv('REWATCHED_API_KEY')
def track_event(event, user_id, properties):
response = requests.post(
'https://api.rewatched.io/v1/events',
json={
'event': event,
'userId': user_id,
'properties': properties
},
headers={
'Authorization': f'Bearer {api_key}',
'Content-Type': 'application/json'
}
)
return response.json()
# Usage
track_event('purchase_completed', 'user_123', {
'amount': 99.99,
'currency': 'USD'
})Rate Limits
To ensure service quality, API requests are rate limited:
Event Ingestion
10,000 req/minPOST /v1/events - High throughput for real-time tracking
Analytics Queries
100 req/minGET /v1/analytics/* - Dashboard data and reports
Data Export
10 req/hourPOST /v1/exports - Large data exports
Rate Limit Headers: Check X-RateLimit-Remaining andX-RateLimit-Reset response headers.
Error Handling
The API uses standard HTTP status codes:
200 OKRequest succeeded401 UnauthorizedInvalid or missing API key403 ForbiddenValid key but no permission for resource429 Too Many RequestsRate limit exceededExample Error Response
{
"error": {
"code": "invalid_api_key",
"message": "The API key provided is invalid or has been revoked",
"statusCode": 401
}
}Security Best Practices
Use environment variables
Never hardcode API keys. Use .env files and never commit them to git.
Rotate keys periodically
Generate new API keys every 90 days and revoke old ones.
Use HTTPS only
Always use HTTPS endpoints. HTTP requests will be rejected.
Don't share API keys
Each team member should have their own account. Never share keys via email or Slack.
Don't log API keys
Sanitize logs to prevent accidentally exposing keys in error messages.