API Reference
Read your data and drive exclusions over REST
Every number in the dashboard is available over a REST API: scored sessions, source
breakdowns, the conversion-scoring view, efficacy metrics, and disputes. The API is on the
Pro plan. The base URL is
https://app.clicklens.io/api/v1,
responses are JSON, and the full machine-readable definition lives at the
OpenAPI document linked below.
Three credentials, three jobs
ClickLens uses three separate secrets. Mixing them up is the most common integration mistake, so check this table before you start.
| Credential | Looks like | Where it goes | What it does |
|---|---|---|---|
| API key | cl_live_… | Authorization: Bearer header on /api/v1 requests | Reads your dashboard data (sessions, sources, efficacy, conversions). Pro plan. Treat it like a password. |
| Site key | data-site | In the install snippet, and the Bearer token on /sessions/convert | Identifies which site a beacon or server-side conversion belongs to. Public by design, grants no dashboard access. |
| Beacon token | data-cl-token | In the install snippet only | Signs each beacon (HMAC-SHA256) so a forged or replayed beacon is flagged. Never sent to the REST API. |
The rest of this guide covers the API key. The site key and beacon token are documented in the install guide and conversion tracking.
Create an API key
Generate keys under Settings → API Keys in the dashboard. A key is shown in full exactly once, at creation; ClickLens stores only a hash, so a lost key cannot be recovered and must be replaced. An account holds up to five active keys at a time. Revoke a key from the same screen and it stops authenticating immediately.
Keys carry the cl_live_
prefix and authenticate as the account that created them, with the same site access. They
are created and revoked from the dashboard only, not over the API.
Make a request
Send the key as a bearer token. Most read endpoints take a
siteId query parameter
and an optional startDate/endDate range.
curl https://app.clicklens.io/api/v1/sessions?siteId=YOUR_SITE_ID \
-H "Authorization: Bearer cl_live_your_key_here"
A request without a valid key returns
401. A key whose account
is below the Pro plan returns
403 with the required
plan in the body. Requesting a site the account cannot access returns
403.
Rate limits
The authenticated API allows 60 requests per minute, counted per API key. The public beacon endpoint is limited separately to 100 requests per IP per minute, which the tracking tag stays well under on its own.
Over the limit, the API returns
429 with a JSON body:
{ "error": "Rate limit exceeded. Maximum 60 requests per 1 minutes." }.
Space out polling and cache responses where you can; the dashboard data behind these
endpoints updates on the order of seconds, not milliseconds.
Endpoint groups
The endpoints fall into these groups. The OpenAPI document has the exact parameters and response shape for each.
| Group | Endpoints | Use |
|---|---|---|
| Sites | GET/POST /sites, GET /sites/:id/tag | List and register sites, fetch a tag snippet. |
| Sessions | GET /sessions, GET /sessions/:id | List scored sessions with filters; read one session with all signals and flags. |
| Dashboard | GET /dashboard, GET /sources, GET /reports/waste | Aggregated KPIs, traffic-source breakdown, and the wasted-spend estimate. |
| Conversions | GET /conversions | The conversion-scoring view: graded verdicts, would-be write-back, per-platform sync health, holdout divergence. |
| Efficacy | GET /efficacy, GET /efficacy/flags | Confusion matrix with per-class precision, recall and F1, plus per-flag bot precision. |
| Disputes | GET/POST /disputes, PATCH/DELETE /disputes/:id, POST /disputes/batch | File, list and resolve verdict disputes; an accepted dispute becomes verified ground truth. |
| Exclusions | GET/POST/DELETE /exclusions, POST /exclusions/sync* | Manage exclusion rules and sync them to a connected ad platform. Sync is Growth plan or higher. |
| API keys | GET/POST /api-keys, DELETE /api-keys/:id | Create and revoke API keys. Dashboard (session) authentication only. |
The disputes and efficacy groups are explained end to end in disputes and efficacy; the conversions group in conversion protection; and exclusion sync, with its per-platform limits, in exclusions and platform sync.
Full reference
The complete, machine-readable definition is served as an OpenAPI 3.0 document. Import it into Postman, Insomnia, or a client generator.
https://app.clicklens.io/api/v1/docs It covers every endpoint above, the public beacon and audit endpoints, the Stripe and CRM webhooks, and the cron jobs, each with its security scheme and response codes.