Overview
The SecureLync Partner API allows authorised partners to integrate encrypted file sharing directly into their platforms. Users on your platform can create share links, manage tokens, and track downloads — all powered by SecureLync's AES-256-GCM encryption infrastructure.
Files shared through the Partner API follow the same security model as direct SecureLync users: encrypted client-side before upload, time-limited links, malware-scanned, and auto-deleted on expiry.
Authentication
All requests must include your partner API key as a Bearer token in the Authorization header.
Authorization: Bearer your_partner_api_key_here
Keep your API key secret. Do not expose it in client-side code, public repositories, or logs. If compromised, contact us immediately to rotate.
Base URL
https://api.securelync.com/v1
All endpoints are HTTPS only. HTTP requests are rejected.
Error Handling
All responses are JSON. Successful responses include "ok": true. Errors include "ok": false and an "error" string.
{
"ok": false,
"error": "X-Partner-User-ID header required."
}
| Status | Meaning |
|---|---|
200 | Success |
201 | Resource created |
400 | Bad request — missing or invalid parameters |
401 | Unauthorised — invalid or missing API key |
404 | Resource not found |
429 | Rate limited — slow down requests |
500 | Server error — contact support |
Roles
Pass the user's role in the X-Partner-Role header on each request. Role controls what data the user can access.
| Role | Can do |
|---|---|
admin | Create tokens, list ALL organisation tokens, revoke any token, check any token status |
vendor | Create tokens, list own tokens, revoke own tokens, check own token status |
client | Create tokens, list own tokens, revoke own tokens, check own token status |
Health Check
Check if the API is operational. No authentication required.
Response
{
"ok": true,
"status": "ok",
"version": "1.0.0",
"service": "SecureLync Partner API"
}
Create User
Creates a SecureLync account for a user on your platform. If the user already exists, returns their existing account details. Safe to call on every login — idempotent.
Request body
| Field | Type | Description |
|---|---|---|
user_id required | string | Your platform's unique user identifier |
email required | string | User's email address |
username required | string | User's display name on your platform |
role optional | string | One of: admin, vendor, client. Defaults to client |
Response
{
"ok": true,
"message": "User created.",
"securelink_user_id": 42,
"username": "msm__user_123",
"partner_user_id": "user_123",
"partner_role": "vendor"
}
Create Token
Creates a new share token for a partner user. Returns a SecureLync share URL ready to send to a recipient. File upload is handled separately via the SecureLync widget or client-side SDK.
Headers
| Header | Description |
|---|---|
X-Partner-User-ID required | Your platform's user ID for the token owner |
X-Partner-Role optional | User's role. Defaults to client |
Request body
| Field | Type | Description |
|---|---|---|
label optional | string | Descriptive label for this token (max 64 chars) |
expires_in_days optional | integer | 1–7. Defaults to 7 |
max_downloads optional | integer | Max downloads before link closes. Omit for unlimited |
Response
{
"ok": true,
"token_id": 88,
"token": "a3f8c2...",
"share_url": "https://securelync.com/download?token=a3f8c2...",
"expires_at": "2026-04-17T10:30:00.000Z",
"expires_in_days": 7,
"max_downloads": null,
"label": "Contract docs for Client A"
}
List Tokens
Returns all tokens for the requesting user. If role is admin, returns all tokens across the entire organisation.
Headers
| Header | Description |
|---|---|
X-Partner-User-ID required | Your platform's user ID |
X-Partner-Role optional | Pass admin to get all org tokens |
Response
{
"ok": true,
"role": "admin",
"count": 2,
"tokens": [
{
"token_id": 88,
"token": "a3f8c2...",
"label": "Contract docs for Client A",
"share_url": "https://securelync.com/download?token=a3f8c2...",
"created_at": "2026-04-10T10:30:00.000Z",
"expires_at": "2026-04-17T10:30:00.000Z",
"active": true,
"download_count": 1,
"max_downloads": null,
"partner_user": "user_123"
}
]
}
Token Status
Returns the current status of a specific token including download count and whether it is still active.
Headers
| Header | Description |
|---|---|
X-Partner-User-ID required | Your platform's user ID |
X-Partner-Role optional | Pass admin to access any org token |
Response
{
"ok": true,
"token_id": 88,
"token": "a3f8c2...",
"label": "Contract docs for Client A",
"share_url": "https://securelync.com/download?token=a3f8c2...",
"created_at": "2026-04-10T10:30:00.000Z",
"expires_at": "2026-04-17T10:30:00.000Z",
"active": true,
"expired": false,
"download_capped": false,
"download_count": 1,
"max_downloads": null
}
Revoke Token
Permanently revokes a token and deletes associated file records. This cannot be undone. Admins can revoke any token in the organisation.
Headers
| Header | Description |
|---|---|
X-Partner-User-ID required | Your platform's user ID |
X-Partner-Role optional | Pass admin to revoke any org token |
Response
{
"ok": true,
"message": "Token revoked."
}
PHP Examples
All examples use PHP's built-in curl functions. No external libraries required.
Setup
<?php
define('SL_API_BASE', 'https://api.securelync.com/v1');
define('SL_API_KEY', 'your_partner_api_key_here');
function sl_request(string $method, string $endpoint, array $headers = [], array $body = null): array {
$ch = curl_init(SL_API_BASE . $endpoint);
$defaultHeaders = [
'Authorization: Bearer ' . SL_API_KEY,
'Content-Type: application/json',
'Accept: application/json',
];
curl_setopt_array($ch, [
CURLOPT_RETURNTRANSFER => true,
CURLOPT_CUSTOMREQUEST => $method,
CURLOPT_HTTPHEADER => array_merge($defaultHeaders, $headers),
CURLOPT_TIMEOUT => 15,
]);
if ($body !== null) {
curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($body));
}
$response = curl_exec($ch);
curl_close($ch);
return json_decode($response, true) ?? ['ok' => false, 'error' => 'Invalid response'];
}
?>
Create a user on registration
<?php
// Call this when a user registers or logs in on your platform
function sl_ensure_user(string $user_id, string $email, string $username, string $role): array {
return sl_request('POST', '/users/create', [], [
'user_id' => $user_id,
'email' => $email,
'username' => $username,
'role' => $role, // 'admin', 'vendor', or 'client'
]);
}
// Example usage
$result = sl_ensure_user('usr_456', 'vendor@example.com', 'John Smith', 'vendor');
if ($result['ok']) {
echo 'SecureLync user ready: ' . $result['securelink_user_id'];
}
?>
Create a share token
<?php
function sl_create_token(string $user_id, string $role, string $label = '', int $expires_days = 7, ?int $max_downloads = null): array {
return sl_request('POST', '/tokens/create', [
'X-Partner-User-ID: ' . $user_id,
'X-Partner-Role: ' . $role,
], [
'label' => $label,
'expires_in_days' => $expires_days,
'max_downloads' => $max_downloads,
]);
}
// Example: vendor creates a token for a client appointment
$token = sl_create_token('usr_456', 'vendor', 'Appointment docs - 10 Apr', 7);
if ($token['ok']) {
$shareUrl = $token['share_url'];
// Send $shareUrl to the client via your live chat or email
echo 'Share this link: ' . $shareUrl;
}
?>
List all tokens (admin)
<?php
function sl_list_tokens(string $user_id, string $role): array {
return sl_request('GET', '/tokens', [
'X-Partner-User-ID: ' . $user_id,
'X-Partner-Role: ' . $role,
]);
}
// Admin sees all org tokens
$result = sl_list_tokens('admin_001', 'admin');
if ($result['ok']) {
foreach ($result['tokens'] as $token) {
echo $token['label'] . ' — ' . ($token['active'] ? 'Active' : 'Expired') . PHP_EOL;
}
}
?>
Revoke a token
<?php
function sl_revoke_token(string $user_id, string $role, int $token_id): array {
return sl_request('DELETE', '/tokens/' . $token_id, [
'X-Partner-User-ID: ' . $user_id,
'X-Partner-Role: ' . $role,
]);
}
$result = sl_revoke_token('usr_456', 'vendor', 88);
if ($result['ok']) {
echo 'Token revoked successfully.';
}
?>
Embeddable Widget
<!-- SecureLync Widget Placeholder -->
<div id="securelync-widget"
data-partner-key="your_public_widget_key"
data-user-id="current_user_id"
data-role="vendor">
</div>
<script src="https://api.securelync.com/widget.js" defer></script>
Security Notes
API key security
Store your API key as an environment variable, never in source code or version control. Rotate your key immediately if you suspect compromise by contacting hello@securelync.com.
Data isolation
Partner users are fully isolated from direct SecureLync users and from other partners. An admin on your platform can only see tokens belonging to your organisation — never another partner's data.
File encryption
All files shared through SecureLync — including those created via the Partner API — are AES-256-GCM encrypted in the browser before upload. The server never sees plaintext file contents. Decryption keys are embedded in the share link and never stored server-side.
Rate limiting
The API enforces rate limits per partner API key. If you receive a 429 response, implement exponential backoff before retrying. Sustained abuse will result in key suspension.
User accounts
Partner users cannot log in to the SecureLync web interface directly — they only exist in the context of your integration. Their accounts are namespaced to your partner ID and are invisible to direct SecureLync users.
Expiry and cleanup
All partner tokens expire within a maximum of 7 days. Expired file bytes are deleted automatically by SecureLync's hourly cleanup process. Download history is retained for audit purposes until the account is deleted.