Streakfox
API

API Authentication

Authenticate your API calls using project credentials and signed tokens.

Streakfox APIs use a mix of project identifiers and signed tokens depending on the endpoint.

Project ID (siteKey)

Public endpoints like /v1/e and /v1/state use your project ID (siteKey) in the request body or query string. Requests from the browser are validated against your Allowed Origins list.

Server ingest token

Use X-Streak-Server-Token when recording trusted backend events through /v1/server/e.

POST /v1/server/e HTTP/1.1
Host: api.streakfox.com
X-Streak-Server-Token: <SERVER_INGEST_TOKEN>
Content-Type: application/json

Keep this token in server environments only.

Webhook secret

Use X-Streak-Webhook-Secret when a third-party automation sends an inbound event to /v1/webhook/:siteKey/e. Create or rotate the secret from the dashboard Programs page.

Admin token (server-only)

Use the admin token when calling privileged routes like /admin/alias.

POST /admin/alias HTTP/1.1
Host: api.streakfox.com
X-Admin-Token: <ADMIN_TOKEN>
Content-Type: application/json

Only send the admin token from server environments (API routes, server actions, or backend services).

Alias tokens (browser-friendly)

To link anonymous visitors from the browser, generate a short-lived alias token on your server using the ALIAS_SIGNING_SECRET, then send it to /v1/alias.

The Quickstart guide includes a full token example in Node.

MCP bearer token

The MCP Worker requires Authorization: Bearer <token>. For launch, Streakfox or your deployment environment provides this token. Customer-scoped self-serve MCP tokens are still a launch follow-up.

On this page