The Qonversion REST API v4 uses Bearer token authentication.
Secret Key
All v4 public endpoints require a Secret Key. Unlike v3, which mixed SDK-level access tokens with privileged server keys, v4 exposes only the server-to-server surface — so a single token type is used for every operation, from reads to privileged mutations (granting entitlements, managing products, experiment overrides, rotating credentials).
- Prefixed with
sk_
- Found in Project settings in the Qonversion dashboard
- Passed as
Authorization: Bearer sk_…
curl --request GET \
--url https://api.qonversion.io/v4/users/{user_id} \
--header 'Authorization: Bearer sk_YOUR_SECRET_KEY' \
--header 'Content-Type: application/json'
The Secret Key should only be stored on your server. Never use the Secret Key in Android, iOS, or web apps. Client apps authenticate through the Qonversion SDK, which uses a separate SDK-level token — not the public REST API v4.
Sandbox vs production
Use a test-prefixed token to target the sandbox environment:
Authorization: Bearer test_sk_… → sandbox
Authorization: Bearer sk_… → production
Error codes
| Status | Error code | When |
|---|
| 401 | control_unauthorized | Missing or invalid Bearer token |
| 403 | control_forbidden | Valid token, insufficient permissions for the requested operation |
Coming from v3?
In v3 some endpoints accepted a non-secret Project Key (SDK-level access token) — for example, reading users or creating purchases. In v4 those endpoints live only on the server-to-server surface and require a Secret Key. Client SDKs continue to use their own access token and do not call the v4 public API directly.