API Authentication
Authenticate your API calls using project credentials and signed tokens.
Streakfox APIs use a mix of project identifiers and signed tokens depending on the endpoint.
Project ID (siteKey)
Public endpoints like /v1/e and /v1/state use your project ID (siteKey) in the request body or query string. Requests from the browser are validated against your Allowed Origins list.
Server ingest token
Use X-Streak-Server-Token when recording trusted backend events through /v1/server/e.
POST /v1/server/e HTTP/1.1
Host: api.streakfox.com
X-Streak-Server-Token: <SERVER_INGEST_TOKEN>
Content-Type: application/jsonKeep this token in server environments only.
Webhook secret
Use X-Streak-Webhook-Secret when a third-party automation sends an inbound event to /v1/webhook/:siteKey/e. Create or rotate the secret from the dashboard Programs page.
Admin token (server-only)
Use the admin token when calling privileged routes like /admin/alias.
POST /admin/alias HTTP/1.1
Host: api.streakfox.com
X-Admin-Token: <ADMIN_TOKEN>
Content-Type: application/jsonOnly send the admin token from server environments (API routes, server actions, or backend services).
Alias tokens (browser-friendly)
To link anonymous visitors from the browser, generate a short-lived alias token on your server using the ALIAS_SIGNING_SECRET, then send it to /v1/alias.
The Quickstart guide includes a full token example in Node.
MCP bearer token
The MCP Worker requires Authorization: Bearer <token>. For launch, Streakfox or your deployment environment provides this token. Customer-scoped self-serve MCP tokens are still a launch follow-up.