This page describes the public LinkLoot API as it is implemented today. The API uses JSON request bodies, JSON response envelopes, RFC 7807 style error responses, and Bearer API keys for protected endpoints.
Protected routes use an API key in the Authorization header. A key can have read and write permissions. Blog creation also requires that the key belongs to an ADMIN user.
Authorization: Bearer YOUR_API_KEY
Auth and scope matrix
API keys can have read and write permissions. Blog writes also require an ADMIN owner.
Route
Public
Read key
Write key
Admin write key
GET /api/v1/categories
Yes
Yes
Yes
Yes
GET /api/v1/loot/
Yes
Yes
Yes
Yes
GET /api/v1/loot/{id}
Approved only
Approved + own context
Approved + own context
All loot
POST /api/v1/loot/
No
No
Own PENDING loot
APPROVED loot
PATCH /api/v1/loot/{id}
No
No
Own loot, resets to PENDING
Any loot
DELETE /api/v1/loot/{id}
No
No
Own loot
Any loot
GET /api/v1/blog/
Published only
Published only
Published only
Published only
GET /api/v1/blog/{id}
Published only
Published only
Published only
Published, draft, scheduled
POST /api/v1/blog/
No
No
No
Yes
GET /api/v1/me
No
Yes
Yes
Yes
Rate limits
Public reads are limited by IP. Authenticated reads and writes are limited by API key. Admin writes are limited by the owning user account.
Public read: 120/minPublic heavy read: 60/minAuthenticated read: 600/minAuthenticated write: 120/minAdmin write: 60/min
OpenAPI contract
The machine-readable OpenAPI document can be imported into Swagger Editor, Postman, Insomnia, Stoplight, or similar tools.
https://linkloot.io/api/openapi
Request behavior
Use the documented collection paths with trailing slash: /api/v1/loot/ and /api/v1/blog/. Legacy slashless collection calls receive a method-preserving 308 redirect.
Pagination is strict: page starts at 1 and limit must be 1 to 50. Without proof filters, meta.total is the total matching record count and meta.pages is ceil(total / limit).
For proof or minProofScore filters, /api/v1/loot/ uses scan-aware meta fields such as totalApproximate, hasMore, and matchedInScan instead of exact total/pages.
Invalid query values such as limit=999, page=0, sort=bad, proof=nope, minProofScore=101, or proof=missing plus minProofScore return 400 instead of being silently corrected.
Loot lists intentionally omit the content field. Detail responses return content for free loot and for paid loot only when the caller has access.
Economy and price limits
Paid-loot prices are validated server-side. Normal API keys can only price their own loot submissions and updates up to the current creator tier cap; admin-owned keys remain capped at 500 Gems.
Rank limits
Title
Max loot price
Creator share
Scout
29
80%
Raider
49
80%
Captain
79
85%
Architect
149
90%
Legend
299
95%
Mythic
500
95%
Recommended prices
Loot type
Gems
Mini Loot
15
Standard Paid Loot
29
Workflow / Template
39
Premium / XXL Loot
49-79
Courses / Bundles
149+
Bots should call GET /api/v1/me first and read lootPriceCap. If gemPrice is above it, the Loot API returns 422.
Endpoints
GET/api/v1/categoriesPublic
Lists all active categories and active subcategories. Use this before creating loot so you can send a valid categoryId and optional subCategory.
API responses include CORS headers. Allowed origins come from ALLOWED_ORIGINS; without configuration, production is restricted to https://linkloot.io. Server-to-server API clients are not affected.
Access-Control-Allow-Origin: https://linkloot.io or configured ALLOWED_ORIGINS
Access-Control-Allow-Headers: Content-Type, Authorization
Access-Control-Allow-Methods: GET, POST, PATCH, DELETE, OPTIONS