What are API tokens?

Short answer

This article explains what API tokens are with practical guidance, limits, and implementation details so you can apply it consistently.

In Linkbreakers, API tokens (also called workspace tokens) are secure authentication credentials that grant programmatic access to your workspace. These two terms refer to the same thing - we use "API tokens" when discussing programmatic access and "workspace tokens" in the dashboard interface, but they're identical.

API tokens enable you to connect AI assistants through MCP, call the public API, build custom dashboards, create white label solutions, and automate workflows without manual intervention.

Quick summary

• Understand that API tokens authenticate programmatic access to your workspace
• Create tokens through the workspace dashboard with descriptive names for different use cases
• Connect AI assistants like Claude using the MCP server for natural language interactions
• Call the public REST API to automate link creation, analytics retrieval, and workflow management
• Build custom dashboards and white label solutions with complete control over user experience
• Manage token security through rotation, revocation, and environment-based isolation

What are API tokens used for?

API tokens unlock programmatic access to your Linkbreakers workspace, enabling automation and integration scenarios that would be tedious or impossible through the web interface.

Authentication and security

API tokens act as secure credentials that identify your workspace and grant appropriate permissions:

• Long-lived credentials that remain valid until explicitly revoked
• JWT-based authentication following industry-standard security practices
• Workspace-scoped access ensuring tokens only access authorized resources
• Audit trail tracking monitoring token usage for security and compliance

Unlike passwords, tokens are designed for machine-to-machine authentication and can be safely stored in secure environments like password managers or environment variables.

Multiple use cases

A single workspace can have multiple tokens for different purposes:

• MCP integration tokens for AI assistants like Claude or Continue
• Production API tokens for live application integrations
• Development tokens for testing and staging environments
• Analytics tokens for business intelligence dashboards
• White label tokens for custom-branded customer solutions

This flexibility enables proper security isolation and usage tracking across different integration scenarios.

Using tokens with the MCP server

The Linkbreakers MCP server enables AI assistants to interact with your workspace using natural language.

Natural language interactions

With an MCP-configured token, you can simply ask AI assistants to:

• "Create a shortened link for my new product launch"
• "Show me analytics for all links created this month"
• "Generate a QR code design with my brand colors"
• "List visitors who submitted the contact form"

The MCP server translates these natural language requests into API calls, handles authentication with your token, and returns results in conversational format.

Supported AI assistants

API tokens enable MCP integration with:

• Claude (web and desktop app via Connectors)
• Claude Code (CLI tool for development workflows)
• Continue (VSCode extension for coding assistance)
• Any MCP-compatible client following the Model Context Protocol standard

This provides consistent access across different tools while maintaining centralized token management and security.

Using tokens with the public API

The Linkbreakers REST API provides programmatic access to all platform features through standard HTTP requests.

API authentication

Include your token in the Authorization header for every API request:

curl -H "Authorization: Bearer YOUR_JWT_TOKEN" \
     -H "Content-Type: application/json" \
     https://api.linkbreakers.com/v1/links

This bearer token authentication follows OAuth 2.0 standards and works with any HTTP client in any programming language.

Common API operations

API tokens enable comprehensive platform automation:

• Link management creating, updating, and deleting links programmatically
• Analytics retrieval fetching scan data, visitor profiles, lead scores, and performance metrics
• QR code generation creating custom-designed QR codes with branding
• Workflow automation configuring forms, conditional logic, and multi-step sequences
• Domain management adding custom domains and SSL certificates
• Webhook configuration setting up real-time event notifications

Full API documentation is available at https://linkbreakers.com/help/api with comprehensive endpoint references and code examples.

SDK and library support

Official and community libraries simplify API integration:

• Official SDKs providing typed interfaces for popular languages
• OpenAPI specification enabling automatic client generation
• Code examples demonstrating common integration patterns
• Webhook handlers for processing real-time events

These libraries handle authentication, error handling, and response parsing automatically, reducing integration complexity.

Building custom dashboards

API tokens enable complete recreation of Linkbreakers functionality within your own applications.

Dashboard recreation

Build custom interfaces that replicate or extend platform features:

• Link management interfaces with custom filtering and organization
• Analytics dashboards combining Linkbreakers data with other metrics
• Custom reporting using tools like Tableau, Power BI, or Grafana
• Mobile applications providing on-the-go access to campaign data
• Team-specific views showing only relevant campaigns and metrics

API access provides the data foundation while you control presentation and user experience.

Real-time data synchronization

Keep custom dashboards current through:

• Webhook notifications triggering immediate updates when events occur
• Polling strategies fetching fresh data at appropriate intervals
• Caching layers balancing performance with data freshness
• Event streaming processing scan data as it arrives

This ensures custom interfaces maintain parity with the main platform while optimizing for specific use cases.

White label and reseller solutions

Enterprise plans enable white label implementations where API tokens power completely branded customer experiences.

Complete brand control

Use API tokens to build custom-branded QR code platforms:

• Custom domains ensuring your brand appears throughout the visitor journey
• Branded interfaces replacing Linkbreakers UI with your own application
• Multi-tenant isolation managing multiple customers from a single workspace
• Usage-based billing tracking consumption per customer for reseller pricing

Your customers never see the Linkbreakers brand - they experience your solution powered by enterprise infrastructure.

Custom feature development

Build specialized features on top of the platform:

• Industry-specific workflows tailored to unique business requirements
• Custom integrations connecting with proprietary systems or platforms like Zapier and Make.com
• Enhanced analytics combining scan data with domain-specific metrics
• Specialized exports formatting data for existing business processes

API access provides building blocks while you create differentiated value for your market. For comprehensive integration guidance, see How to integrate Linkbreakers with existing tech stack.

Token management and security

Proper token management ensures secure access while maintaining operational flexibility.

Creating tokens

Generate tokens through the workspace dashboard:

1. Navigate to Settings → API Tokens
2. Click "Create Token"
3. Enter a descriptive name (e.g., "Production API" or "Claude MCP")
4. Click "Create"
5. Copy the token immediately - it's only shown once

Use descriptive names that identify the token's purpose and location for easier auditing and management.

Security best practices

Protect tokens like passwords:

• Never commit tokens to source code or version control
• Use environment variables to store tokens securely
• Rotate tokens periodically even if not compromised
• Revoke unused tokens immediately to minimize exposure
• Use different tokens for different environments and purposes

The dashboard tracks token usage patterns, enabling detection of unusual activity or compromised credentials.

Token revocation

Immediately revoke tokens if:

• An environment is decommissioned
• A developer leaves the team
• Token appears in logs or version control
• Suspicious usage patterns are detected

Revocation is instant and irreversible. Dependent integrations will fail immediately, so coordinate revocation with replacement token deployment.

Frequently Asked Questions

What's the difference between API tokens and user passwords?

API tokens are designed for programmatic access by applications and scripts, while passwords authenticate human users. Tokens can be revoked independently without affecting account access.

Can I create multiple tokens for the same workspace?

Yes. Create as many tokens as needed for different purposes, environments, or applications. This enables proper security isolation and usage tracking. See What is a workspace? for more details about workspace management.

Do API tokens expire automatically?

No. Tokens remain valid indefinitely until explicitly revoked. However, periodic rotation is recommended as a security best practice.

What happens if my token is compromised?

Immediately revoke the token through the dashboard. Generate a new token and update applications. Monitor recent activity for unauthorized access.

Can I restrict what a token can access?

Currently, tokens provide full workspace access. Use different workspaces or careful implementation patterns to segment access by purpose or team. For user-level permissions, see role-based access control.

How do I use tokens with the MCP server?

Follow the MCP server setup guide which walks through token creation and client configuration for AI assistants.

What rate limits apply to API token usage?

Rate limits vary by plan tier and are designed to accommodate normal usage while preventing abuse. Enterprise plans offer higher limits and can request custom quotas.

Can I see which token was used for each API call?

Yes. The dashboard tracks token usage patterns including request counts and timestamps, enabling security auditing and usage analysis.

How do tokens work with white label solutions?

Enterprise tokens enable complete API access for building custom-branded interfaces and managing multiple customers through a single workspace.

What's the best way to store tokens in production?

Use secure environment variables, secret management services (AWS Secrets Manager, HashiCorp Vault), or container orchestration secrets rather than hardcoding in application code.

Limits and caveats

• Feature availability and limits can vary by plan and workspace setup.
• Results depend on correct implementation, attribution setup, and data quality controls.
• Regulatory and privacy obligations vary by jurisdiction and use case.