Authentication
Every API request needs an API key. Here's how to get one and use it.
Getting Your API Key
In Dashboard
- Go to dashboard.loyali.io
- Navigate to Settings → API Keys
- Click Create API Key
- Select the key type
- Copy the key — you won't see it again
Key Types
Private Keys
sk_live_...
Full access to everything. Server-side only.
✓ Create customers
✓ Award points
✓ Manage rewards
✓ All data
Public Keys
pk_live_...
Read-only access. Safe for browsers.
✓ Look up customers
✓ View points
✓ See rewards
✗ Cannot modify
Never Expose Private Keys
Private keys should only be used on your server. Never put them in frontend JavaScript, mobile apps, or anywhere users can see them.
Using Your Key
Add to the X-API-Key header:
curl https://api.loyali.io/api/v1/customers \
-H "X-API-Key: sk_live_abc123..."
Or use Bearer authentication:
curl https://api.loyali.io/api/v1/customers \
-H "Authorization: Bearer sk_live_abc123..."
Key Permissions
When creating a private key in the Dashboard, you can restrict what it can do:
| Permission | What it allows |
|---|---|
customers:read | View customers |
customers:write | Create/update customers |
points:read | View balances |
points:write | Award/deduct points |
rewards:read | View rewards |
rewards:write | Manage rewards |
webhooks:write | Create webhooks |
Least Privilege
Only give each key the permissions it needs. Your checkout service probably doesn't need webhooks:write.
Revoking Keys
If a key is compromised:
In Dashboard
- Go to Settings → API Keys
- Find the key
- Click Revoke
The key stops working immediately.
Error Responses
| Error | Meaning |
|---|---|
401 Invalid API key | Key doesn't exist or was revoked |
403 Insufficient permissions | Key lacks required permission |
403 Public key not allowed | Endpoint requires private key |