Skip to main content

Authentication

The Blinksale API uses API tokens (also called API keys) for authentication. This page explains how to obtain and use API tokens to access the Blinksale API.

Obtaining an API Token

To get your API token:
  1. Log in to your Blinksale account
  2. Navigate to Settings → API Access (or go directly to https://app.blinksale.com/settings/api)
  3. Click on “Create API Token”
  4. Enter a name for your token (e.g., “My Integration”)
  5. Set permissions as needed
  6. Click “Create” to generate the token
  7. Important: Copy your token immediately and store it in a secure location. For security reasons, you won’t be able to view the complete token again after closing the dialog.
API Access Page

Token Permissions

When creating an API token, you can specify the permissions for that token:
  • Read: View resources but cannot create, update, or delete
  • Write: Create, update, and delete resources (also includes read access)
  • Send: Send emails (estimates, invoices, etc.)
Assign only the permissions necessary for your integration to follow security best practices.

Using Your API Token

To authenticate API requests, include your API token in the Authorization header using the Bearer token scheme: 
Authorization: Bearer YOUR_API_TOKEN

Example Request with cURL

curl -X GET \
  https://app.blinksale.com/api/v1/clients \
  -H 'Authorization: Bearer YOUR_API_TOKEN' \
  -H 'Accept: application/json'

Example Request with JavaScript

fetch('https://app.blinksale.com/api/v1/clients', {
  method: 'GET',
  headers: {
    'Authorization': 'Bearer YOUR_API_TOKEN',
    'Accept': 'application/json',
  }
})
.then(response => response.json())
.then(data => console.log(data));

Example Request with PHP

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, 'https://app.blinksale.com/api/v1/clients');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, [
    'Authorization: Bearer YOUR_API_TOKEN',
    'Accept: application/json',
]);
$response = curl_exec($ch);
curl_close($ch);
echo $response;

Token Security Best Practices

  1. Never share or expose your API token in public code repositories, client-side code, or insecure locations.
  2. Store tokens securely in environment variables or a secure credential store, not directly in your code.
  3. Use specific tokens for specific integrations so you can revoke access individually if needed.
  4. Periodically rotate your API tokens to minimize risk in case a token is compromised.
  5. Grant only the required permissions to each API token following the principle of least privilege.
  6. Revoke tokens that are no longer needed to minimize potential attack surface.

Token Management

You can manage your API tokens from the API Access settings page:
  • View: See a list of all your active API tokens
  • Create: Generate new API tokens for different integrations
  • Delete: Remove tokens that are no longer needed
  • Rotate: Replace an existing token with a new one when needed
If you believe an API token has been compromised, delete it immediately and create a new one with the same permissions.