Skip to main content

Public and Embed APIs

These endpoints power:
  • public shareable link analytics
  • authenticated embed token issuance
  • embeddable widgets for stats/referrals/link creation

Public stats endpoints (/public/stats/*)

  • GET /public/stats/:domain/:key
  • GET /public/stats/:key
Behavior:
  • No auth required.
  • Link must exist, domain must match, and publicStats must be enabled.
  • Returns link summary + clicks/timeseries + geo/device/browser/referrer breakdowns.

Embed endpoints (/embed/*)

  • POST /embed/token
  • GET /embed/verify
  • GET /embed/data/stats
  • GET /embed/data/referrals
  • POST /embed/data/create-link
  • GET /embed/widget.js
  • POST /embed/track

Token model (POST /embed/token)

Token type options:
  • stats
  • referrals
  • link-creator
Token TTL:
  • min 300s (5 minutes)
  • max 86400s (24 hours)
Optional scoping:
  • linkId
  • campaignId

Authorization model

  • token generation is authenticated and permission-gated
  • read widget tokens require read-level permissions
  • link-creator tokens require link-creation permissions
Data endpoints validate token signature and expiry before returning content. POST /embed/data/create-link includes:
  • token verification + type check
  • URL validation rules
  • workspace/campaign ownership checks
  • IP-based rate limiting for creation attempts

Typical failures

  • 401 UNAUTHORIZED: invalid/expired token
  • 403 FORBIDDEN: missing permissions for token creation
  • 404 NOT_FOUND: missing scoped link/campaign
  • 429 RATE_LIMITED: embed create-link abuse protection
Related docs:
  • /user-guides/manual/data/exports-and-operational-checks
  • /user-guides/manual/data/analytics-views-reference