Authenticate Requests to Liquid Rewards API

Liquid Rewards API uses API key authentication. You include your key in every request that requires it by adding an x-api-key header. Keys are issued per account and should be kept secret — never expose them in client-side code or public repositories.

Contact your account manager or support team to obtain your API key.

Which Endpoints Require an API Key

Not every endpoint requires authentication. The table below shows the split at a glance.

Requires API Key

Endpoint	Description
`POST /v1/discovery/products/search`	Search affiliate products
`GET /v1/discovery/products/{slug}`	Get product details
`GET /v1/discovery/merchants`	List affiliate merchants
`GET /v1/discovery/merchants/search`	Search affiliate merchants
`GET /v1/discovery/products/criteria-sets`	List criteria sets
`POST /v1/discovery/products/criteria-sets`	Create a criteria set
`GET /v1/discovery/products/criteria-sets/{id}`	Get a criteria set
`PUT /v1/discovery/products/criteria-sets/{id}`	Update a criteria set
`DELETE /v1/discovery/products/criteria-sets/{id}`	Delete a criteria set

Does Not Require an API Key

Endpoint	Description
`POST /chat/{convo_id}`	Send a chat message
`GET /spy/{convo_id}`	Read conversation state
`POST /clickthrough/{convo_id}`	Record an affiliate click
`POST /signup/{convo_id}`	Register a user signup
`POST /offers/single`, `POST /offers/multi`, `POST /offers/carousel`	Offer building
`GET /offers/retry/{convo_id}/{presentment_id}`	Retry an offer
`GET /inventory/*`	Inventory ranking pages

Passing Your API Key

Add the x-api-key header to every request that requires authentication.

curl -X POST https://rewardsbot-prod.liquidrewardsapi.com/v1/discovery/products/search \
  -H "x-api-key: YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"query": "running shoes", "per_page": 10}'

Error Responses

If a request cannot be authenticated or is malformed, the API returns one of the following error codes:

Status code	Meaning
`403 Forbidden`	The `x-api-key` header is missing or the provided key is invalid. Double-check that you’re sending the correct key and that the header name is exactly `x-api-key`.
`422 Unprocessable Entity`	The request body failed validation. The response body will include a `detail` field describing which fields are missing or incorrect.
`503 Service Unavailable`	The requested feature is not configured for your account. Contact support to enable the relevant capability.

Example Error Body (`422`)

{
  "detail": [
    {
      "loc": ["body", "query"],
      "msg": "field required",
      "type": "value_error.missing"
    }
  ]
}

Security Best Practices

Keep your key server-side

Never embed your API key in browser JavaScript, mobile app binaries, or any code that users can inspect. Route authenticated requests through your own backend.

Rotate keys periodically

Request a new API key from your account manager on a regular cadence or immediately if you suspect a key has been compromised.

Use environment variables

Store your key in an environment variable (e.g. LIQUID_REWARDS_API_KEY) rather than hard-coding it in source files.

​Which Endpoints Require an API Key

​Requires API Key

​Does Not Require an API Key

​Passing Your API Key

​Error Responses

​Example Error Body (422)

​Security Best Practices

Which Endpoints Require an API Key

Requires API Key

Does Not Require an API Key

Passing Your API Key

Error Responses

Example Error Body (`422`)

Security Best Practices