API Authentication - Scanova API Documentation

Server event endpoints (POST /server-events and POST /server-events/batch) require an API key. Browser events (POST /ct) are public and do not require authentication — they are validated by domain instead.

API key header

Include your key in every server event request:

POST /server-events HTTP/1.1
Host: track.scanova.io
Content-Type: application/json
X-API-Key: YOUR_SITE_API_KEY

Key scope

API keys are site-scoped. A key generated for Site A cannot be used to send events for Site B. The site_id in your request body must match the site that issued the key. A mismatch returns 403 Forbidden.

Generating a key

Keys are created in the dashboard:

Go to Integrations → Conversion Tracking
Open your tracking site
Click the API Keys tab
Click Generate API Key

Full instructions: Generate an API Key

Security rules

Never include your API key in frontend/browser code — it would be publicly visible
Store keys in environment variables or a secrets manager (AWS Secrets Manager, HashiCorp Vault, etc.)
Create separate keys for production and staging environments
Revoke keys immediately if they are accidentally exposed

Error responses

Status	Meaning
`401 Unauthorized`	`X-API-Key` header is missing
`403 Forbidden`	Key is invalid, revoked, or `site_id` does not match the key’s site

Verify & Debug Server Events Browser Events API — POST /ct

​API key header

​Key scope

​Generating a key

​Security rules

​Error responses

API key header

Key scope

Generating a key

Security rules

Error responses