API keys

The QR NFC Tap API lets you create QRs, fetch analytics, manage profiles, and listen to scan webhooks programmatically.

Create an API key

Dashboard → Account → API keys → New key. Pick:

• Name — for your reference (e.g. "n8n production")
• Scopes — read-only / read-write / specific resources
• Optional IP allowlist — restrict the key to specific source IPs
• Optional rate limit override — request higher than tier default (Pro+ tiers)

We show the key once. Copy it now; we hash and forget. Lose it = generate a new one.

Authenticate

Bearer token in the Authorization header:

GET /api/qrcodes
Authorization: Bearer tc_live_AbCdEf...

Rate limits

• Free: no API access
• Pro: 10 req/s
• Business: 50 req/s
• Agency: 100 req/s
• Enterprise: by contract

Burst is ~3× the steady rate for 1 minute. Exceeded → HTTP 429 with Retry-After header.

Rotation

Best practice: rotate keys every 90 days. Generate a new key, deploy it to your systems, then revoke the old one in the dashboard. We'll be adding scheduled-rotation reminders in the next release.

Revocation

Revoke immediately if a key is leaked. Dashboard → API keys → click the row → Revoke. Active connections using the revoked key fail with 401 on next request (within seconds).

Sandbox / test mode

API keys come in two prefixes:

• tc_test_* — sandbox, hits a separate test database, no real billing
• tc_live_* — production

Use sandbox for development; switch to live for production deploys.

Where to find docs

Full OpenAPI spec at /api/docs (logged-in). Postman collection: /api/postman.json.