Skip to content

API Overview & Authentication

ADBNK exposes a RESTful HTTP API in four groups:

GroupPrefixAuthDescription
Advertiser API/api/advertiserJWT BearerBackend for the advertiser console
Publisher API/api/publisherJWT BearerBackend for the publisher console
Ad Request API/adNoneReal-time ad requests from zones
Event Reporting API/trackNoneImpression / click / conversion reporting

Base URL

The base domain for all endpoints is https://api.adbnk.co. Ad requests and event reporting also have dedicated subdomains js.adbnk.co (SDK) and track.adbnk.co (tracking); examples here use the business domains uniformly.

Authentication

The advertiser / publisher endpoints use JWT Bearer Token auth. First call the corresponding login endpoint to get a token, then carry it in the Authorization header of every request:

http
Authorization: Bearer <token>

Passing it via the query parameter ?token=<token> is also supported (only for scenarios where you can't set custom headers, such as pixels and iframes).

The token is signed with HMAC-SHA256; the payload includes id (user ID), type (admin / advertiser / publisher), iat, and exp. The default validity is 86400 seconds (24 hours); after expiry you must log in again.

Token type and path must match

An advertiser token can only access /api/advertiser/*, and a publisher token can only access /api/publisher/*; cross-role access returns 401.

Example successful login response:

json
{
  "code": 0,
  "message": "Login successful",
  "data": {
    "token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9....",
    "token_type": "Bearer",
    "expires_in": 86400,
    "user": { "id": 1, "username": "demo", "email": "[email protected]" }
  },
  "timestamp": 1752200000
}

Unified response envelope

All endpoints return a unified JSON envelope:

json
{
  "code": 0,
  "message": "success",
  "data": {},
  "timestamp": 1752200000
}
FieldTypeDescription
codeintBusiness status code; 0 means success, non-zero means failure
messagestringHuman-readable message (localized by request language)
dataobject/array/nullBusiness data
timestampintServer Unix timestamp (seconds)

When message comes from an i18n translation key, the response also carries message_key (and optionally message_params) for frontend re-localization.

Dual status codes

code is the primary business signal (0 = success). The HTTP status code is also aligned with code (200 on success, errors mapped to the corresponding 4xx/5xx), making it easy for CDN / WAF / monitoring to recognize error rates.

Error code convention

code reuses HTTP semantics; common values:

codeHTTPMeaning
0200Success
400400Bad parameters / validation failure
401401Not logged in / invalid or expired token
403403Insufficient permission / account disabled / feature off
404404Resource not found
412412Precondition failed (profile incomplete / KYC not passed)
422422Semantic validation failure
429429Too many requests
500500Server error

Example error response:

json
{
  "code": 401,
  "message": "Invalid or expired token",
  "data": null,
  "timestamp": 1752200000
}

Pagination convention

List endpoints use these query parameters uniformly:

ParamTypeRequiredDefaultDescription
pageintNo1Page number, min 1
page_sizeintNo20Items per page, range 1–100
sort_fieldstringNoidSort field (whitelisted per endpoint)
sort_orderstringNodescSort direction: asc / desc

Paginated response structure:

json
{
  "code": 0,
  "message": "success",
  "data": {
    "list": [],
    "pagination": {
      "total": 135,
      "page": 1,
      "page_size": 20,
      "total_pages": 7
    }
  },
  "timestamp": 1752200000
}

Rate limiting

The platform doesn't apply uniform rate limiting to all endpoints, but it throttles sensitive operations:

  • Forgot password: the same email can only request once per 60 seconds; exceeding returns 429.
  • Event reporting: impression / click dedup windows are controlled by the admin settings ad.impression_dedup_seconds / ad.click_dedup_seconds; duplicate events within the window aren't billed.

WARNING

Specific thresholds may change with platform configuration; refer to the actual response.

CORS

Cross-origin requests are allowed from *.adbnk.co, localhost, and 127.0.0.1 origins, allowing the headers Content-Type, Authorization, X-Requested-With, Accept, Origin, X-Token. CORS preflight (OPTIONS) handling is enabled for all groups.


Continue reading: Advertiser API · Publisher API · Ad Request API · Events & Conversion Reporting

Documentation released under the MIT License.