API access is a responsibility
Developer tools can help advanced affiliates automate links, reporting, widgets, or seller referral workflows. They can also create problems if tokens are exposed, requests are too aggressive, or links are generated incorrectly.
Treat API tokens like passwords. Do not place private tokens in public JavaScript, screenshots, client-side apps, shared documents, or browser-visible code.
Safe integration practices
- Store tokens in a private server environment or secure secret manager.
- Use the minimum access needed for the integration.
- Respect rate limits and avoid repeated unnecessary requests.
- Validate destination URLs before generating or publishing links.
- Log enough to debug your integration without storing private customer data.
- Rotate tokens if you believe they were exposed.
When to ask for help
Open a support ticket if API responses do not match documentation, links are not tracking, a token needs rotation, or your integration creates unexpected referrals. Include request timing, endpoint, non-sensitive response details, and the affiliate account context.
- No private token is visible in browser code.
- Generated links are tested before release.
- Integration handles errors without spamming requests.
- Support requests omit secrets and private user data.