API Keys and API Calls Explained in Plain Language

What an API Key Is

An API key is a secret credential that lets software act on behalf of your account.

Think of it as a secure access card for automation tools.

If a request includes a valid API key, the platform knows:

1. Which account/workspace is making the request.
2. Which plan and API limits apply.
3. Whether the request should be allowed.

What Users Can Do With API Keys

With a valid key and API access enabled, users can do actions like:

1. List QR codes.
2. Create QR codes.
3. Read a single QR code by ID.
4. Update QR code fields (for example name or destination URL).
5. Delete QR codes.
6. Pull analytics for reporting.

Plan note:

• API access is Team-tier and above.

What API Calls Mean

Each HTTP method has a purpose:

1. GET = read data

• Example: fetch all QR codes.

1. POST = create new data

• Example: create a new QR code.

1. PUT = update existing data

• Example: change the destination URL of an existing code.

1. DELETE = remove data

• Example: delete a QR code that is no longer needed.

If your team remembers only one thing: GET reads, POST creates, PUT updates, DELETE removes.

Core API Endpoints You Will See

1. GET /api/v1/qr

• Returns a paginated list of QR codes.

1. POST /api/v1/qr

• Creates a new QR code.

1. GET /api/v1/qr/:id

• Returns one QR code.

1. PUT /api/v1/qr/:id

• Updates one QR code.

1. DELETE /api/v1/qr/:id

• Deletes one QR code.

1. GET /api/v1/qr/:id/analytics

• Returns scan metrics for a code.

How Authentication Works in Requests

Requests include your key in the Authorization header:

• Authorization: Bearer YOUR_API_KEY

If this header is missing or invalid, the request is rejected.

How to Read API Responses

API responses usually include:

1. A success message or object.
2. Requested data (for list/read calls).
3. Pagination or analytics structures where relevant.

Status code quick guide:

1. 200: Success
2. 201: Created successfully
3. 400: Bad request (missing/invalid input)
4. 401: Unauthorized (invalid or missing key)
5. 403: Forbidden (plan/permission restriction)
6. 404: Not found (wrong ID/path)
7. 429: Too many requests (rate limit)
8. 500: Server error

Rate Limits and Monthly Allowances

The API enforces request limits to keep service stable.

Expect:

1. Per-minute request limits.
2. Monthly allowance by plan tier.
3. A 429 response when limits are exceeded.

Safety Rules for API Keys

1. Never paste keys in public code, screenshots, or client-side scripts.
2. Store keys in server-side environment variables.
3. Rotate keys if a leak is suspected.
4. Use separate keys per integration so revocation is easier.

Troubleshooting Checklist

If API calls fail:

1. Confirm account has Team-tier API access.
2. Verify Authorization header format.
3. Confirm endpoint path and method are correct.
4. Check request body fields for POST/PUT.
5. Inspect status code and error payload.
6. Check for rate limiting if calls are bursty.

Related Guides

• API onboarding for non-developers: api-quickstart-non-developers.
• Key management and security: enterprise-authentication.
• Full endpoint reference: /api-docs.