Announcing our new API documentation!
Check it out here
Knowledge Base
/
Generating your API token

Generating your API token

Generate and regenerate your SiteDetour API access token, and authenticate API requests with it.

On this page:

Overview

Every SiteDetour user can generate one API access token. The token authenticates programmatic requests to the SiteDetour API. This article covers generation, revocation, and authentication.

Generating a token

  1. Sign in and go to API.
  2. Click Download Token. A text file downloads containing the token.

The token is long-lived. SiteDetour stores only a hash — if you lose the plaintext, you'll have to regenerate.

A yellow warning appears next to the Download button: Downloading a new token will revoke any previous tokens associated with your account. Only one token is active per user at a time.

Regenerating / rotating

Click Download Token again to generate a fresh one. The old token is immediately invalidated — any long-running process using the old token will start getting 401s.

For production systems, regenerate on a schedule (quarterly is a reasonable cadence) or whenever a team member with access leaves.

Using the token

Pass the token in the Authorization header as a Bearer token on every request:

curl -H "Authorization: Bearer $TOKEN" \
"https://sitedetour.com/api/redirects"

Set Content-Type: application/json and Accept: application/json for POST/PATCH requests.

Permission model

A token inherits the permission level of the user who generated it. An Administrator's token can manage users; a Read Only user's token is, by design, read-only. Tokens are not sharable — sharing a token across team members obscures who performed an action in the activity log.

Rate limiting

SiteDetour applies a rate limit of 240 requests per minute per token. Exceeding returns HTTP 429 with a Retry-After header. For bulk operations, implement exponential backoff and stagger requests.

Revoking a token

There is no explicit revoke button; regenerating replaces and revokes the old token. To revoke without generating a new one, delete the user account — this also revokes every token under it.

Secrets hygiene

  • Store tokens in a secrets manager or environment variables, never in source code.
  • If a token leaks (in logs, in a screenshot, in a public repo), regenerate immediately.
  • Use per-environment tokens — different user accounts for staging vs. production, each with their own token and appropriate permission level.

Next steps

SiteDetour Logo
Join our newsletter to stay updated on features and releases.
By subscribing, you agree to our Privacy Policy and consent to receive updates from our company.
Thank you! Please check your inbox for a confirmation email.
Oops! Something went wrong while submitting the form.
Product
Support
Documentation
Find us
© All rights reserved. Sitedetour.com
Terms of ServicePrivacy Policy