Admaxxer Pixel API — Authentication

Admaxxer uses Bearer API keys. Every request to /api/v1/* must include an Authorization header of the form Bearer <api_key>. Keys are bound to a single workspace and carry an explicit, typed set of scopes.

Step 1 — Create a Key

Open Settings › API Keys.
Click Create key and give it a descriptive name (e.g. warehouse-etl, mobile-app-prod).
Select one or more scopes. For read-only integrations pick pixel:read. For server-to-server event ingest also pick pixel:write.
Copy the key. The full value is shown only once. Admaxxer stores a SHA-256 hash, never the raw key.

Step 2 — Use the Key

curl https://admaxxer.com/api/v1/me \
  -H 'Authorization: Bearer YOUR_KEY'

A successful response contains the key’s scopes and the workspace it’s bound to. If you see 401 invalid_api_key, the key is malformed, revoked, expired, or belongs to a different environment.

Available Scopes

Scope	Grants
`pixel:read`	GET /pixel/* endpoints (websites, metrics token mint, goals, alerts, reports, share-links, visitors).
`pixel:write`	POST /pixel/events and POST /pixel/identify.
`brand:read`	Reserved for the brand-monitoring Read API (coming soon).
`brand:write`	Reserved.

A key with zero scopes can hit /api/v1/me but nothing else. If a key has insufficient scope for an endpoint, Admaxxer returns 403 insufficient_scope with details naming the required scope.

Step 3 — Rotate & Revoke

Rotate by creating a new key with the same scopes, deploying it, then revoking the old one.
Revoke is immediate and irreversible: the key’s revoked_at timestamp is set and subsequent requests fail with api_key_revoked.
Expire a key automatically by setting an expires_at at creation time.

Security Notes

Keys are stored as a SHA-256 hash. If you lose the raw key, you cannot recover it — create a new one.
Never commit keys to Git. Use your platform’s secret manager (Replit Secrets, Doppler, Vault, AWS Secrets Manager, etc.).
Give each integration its own key. Revoking one integration should not bring the others down.
Read keys and write keys should be separate. A compromised read key cannot ingest rogue events or rewrite identity mappings.

Error Responses

{
  "error": {
    "code": "missing_authorization",
    "message": "Authorization header is required. Use: Bearer <api_key>"
  },
  "meta": { "request_id": "req_..." }
}

See Errors for the full list.

Overview · Endpoints · Errors · Rate Limits