Manage program settings and your API key
Edit your program's terms after launch and find, copy, or regenerate the per-program API key that authenticates your tracking integration.
Everything you configured in the setup wizard stays editable after launch, and the same Settings page holds the API key that every server-side tracking call authenticates with. This guide shows where each setting lives, how to change terms safely, and how to rotate the key without breaking tracking.
What lives in Settings
Open your brand workspace and select Settings in the left menu. The page is organized as a checklist of sections:

| Section | What you edit there |
|---|---|
| Business Profile | Program name, marketplace handle, website URL, logo |
| Approval mode | How partner applications are handled — manual review or auto-accept |
| Commission | Default commission type, rate, and hold period |
| Branding | How your program page looks to partners in the marketplace |
| Tracking & Integrations | Status of click, lead (signup), and payment tracking |
| Share Program | A shareable link for recruiting partners |
| API Key (under Developer) | The per-program secret key for server-side tracking calls |
Step 1: Edit program terms after launch
Programs evolve — rates get adjusted, branding gets refreshed, approval policies tighten or loosen. None of this requires recreating the program.
- Select Settings in the left menu of your brand workspace.
- Choose the section you want to change: Commission for the default rate and hold period, Approval mode to switch between manual review and auto-accept, Business Profile for the program name, website, and logo, or Branding for your marketplace page.
- Make the change and save the section.
The Commission section sets your program-wide default. To pay different rates to different sets of partners, organize partners into groups — each group carries its own commission policy.
Step 2: Find your API key
Every server-side call to the tracking API — sales, refunds, and server-mode leads — authenticates with a Bearer token that is unique to your program. Integrations, SDKs, the CLI, and AI agents all use this same key.
- Select Settings in the left menu.
- Under Developer, select API Key.
The key is stored hashed and displays masked. The full value is revealed exactly once — at the moment it is generated. If you no longer have the current key stored anywhere, you can't recover it from the dashboard; regenerate it instead (Step 3).
Store the key as a server-side environment variable:
# .env — server-side only. Never ship this key to the browser.
AFFITOR_API_KEY=YOUR_PROGRAM_API_KEYThe API Key section also gives you a one-line instruction for an AI coding agent. It points the agent at skill.md with your program ID and key variable, so the agent can install tracking for you — see Agent Integration.
Step 3: Regenerate the key
Rotate the key if it may have leaked, if it was committed to a repository, or as routine hygiene when a team member with key access leaves.
Regenerating invalidates the old key immediately. Every integration still sending it starts receiving 401 responses until you deploy the new key. The new key's full value is shown one time only — copy it before you close the reveal.
- In Settings → API Key, regenerate the key.
- Copy the new key from the one-time reveal.
- Update
AFFITOR_API_KEYeverywhere the old key was stored — deployment environment, secret manager, CI — and redeploy.
Verify it worked
Send a test-mode sale with the new key. It authenticates exactly like a real sale but creates no commission and no platform fee.
Request — POST /api/v1/track/sale:
curl -X POST https://api.affitor.com/api/v1/track/sale \
-H "Authorization: Bearer YOUR_PROGRAM_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"additional_data": { "test_mode": true },
"amount_cents": 9999,
"currency": "USD",
"sale_type": "payment"
}'Expected response:
{
"success": true,
"message": "Test sale event tracked successfully",
"data": {
"eventId": 789,
"programId": 1,
"test_mode": true
}
}- `POST /api/v1/track/sale` with the new key returns `200` and `"success": true` — the key authenticates
- If you regenerated, the same request with the old key now returns `401` — rotation is complete
- The test event appears under your program's tracking events, flagged as a test — no commission is created
- A `401` means the header is malformed or the key doesn't match an active program — copy the key again from **Settings** → **API Key** and check your env variable for trailing whitespace
- See the [error reference](/api-reference/errors) for every `401` cause and fix