Skip to main content

Documentation Index

Fetch the complete documentation index at: https://documentation.qonversion.io/llms.txt

Use this file to discover all available pages before exploring further.

The Qonversion REST API v4 uses Bearer token authentication.

Secret Key

All v4 public endpoints require a Secret Key. Unlike v3, which mixed SDK-level access tokens with privileged server keys, v4 exposes only the server-to-server surface — so a single token type is used for every operation, from reads to privileged mutations (granting entitlements, managing products, experiment overrides, rotating credentials).
  • Prefixed with sk_
  • Found in Project settings in the Qonversion dashboard
  • Passed as Authorization: Bearer sk_…
curl --request GET \
  --url https://api.qonversion.io/v4/users/{user_id} \
  --header 'Authorization: Bearer sk_YOUR_SECRET_KEY' \
  --header 'Content-Type: application/json'
The Secret Key should only be stored on your server. Never use the Secret Key in Android, iOS, or web apps. Client apps authenticate through the Qonversion SDK, which uses a separate SDK-level token — not the public REST API v4.

Sandbox vs production

Use a test-prefixed token to target the sandbox environment: 
Authorization: Bearer test_sk_…  → sandbox
Authorization: Bearer sk_…       → production
The API behaves identically in both environments; data is isolated.

Error codes

StatusError codeWhen
401control_unauthorizedMissing or invalid Bearer token
403control_forbiddenValid token, insufficient permissions for the requested operation
See Handling Errors for the full error envelope.

Coming from v3?

In v3 some endpoints accepted a non-secret Project Key (SDK-level access token) — for example, reading users or creating purchases. In v4 those endpoints live only on the server-to-server surface and require a Secret Key. Client SDKs continue to use their own access token and do not call the v4 public API directly.