ProofGatewayDashboard → API Keys

ProofGateway Testimonials API v1

Read-only API for approved testimonials. Use it to fetch testimonials and integrate them into your own apps, CMS, or automations.

Overview

  • Read-only — list and fetch approved testimonials only
  • Approved-only — v1 does not expose pending or rejected testimonials
  • Workspace-scoped — each API key is tied to one workspace

Authentication

Create an API key from Dashboard → API Keys. You will see the raw key once at creation — copy it immediately.

Use either header:

Authorization: Bearer pg_live_xxxxx
X-API-Key: pg_live_xxxxx

Endpoints

Base URL: your deployment URL (e.g. https://proofgateway.com)

List testimonials

GET /api/v1/testimonials

Query params: limit (default 20, max 100), offset (0), sort (created_at|updated_at), order (asc|desc), rating (1–5), has_video (true|false)

curl -H "Authorization: Bearer YOUR_KEY" \
  "https://proofgateway.com/api/v1/testimonials?limit=10"

Get single testimonial

GET /api/v1/testimonials/:id
curl -H "X-API-Key: YOUR_KEY" \
  "https://proofgateway.com/api/v1/testimonials/UUID"

Response shape

{
  "id": "uuid",
  "name": "Jane Doe",
  "role_company": "Acme Inc",
  "body": "Great product!",
  "rating": 5,
  "video_url": null,
  "video_thumbnail": null,
  "created_at": "2024-01-15T12:00:00.000Z",
  "updated_at": "2024-01-15T12:00:00.000Z"
}

List endpoint returns: { "data": [...], "pagination": { "limit", "offset", "count" } }

Errors

All errors: { "error": { "code": "...", "message": "..." } }

  • 400 invalid_request — Bad query params
  • 401 unauthorized — Missing or invalid API key
  • 404 not_found — Testimonial not found
  • 429 rate_limit_exceeded — 100 req/min per workspace
  • 500 internal_error

Rate limits

100 requests per minute per workspace. Returns 429 with Retry-After header when exceeded.

Security

  • Use API keys only from your backend — server, serverless function, or Next.js server component. Never put them in client-side JavaScript; they would be exposed.
  • Never log or expose your raw API key
  • Revoke keys immediately if compromised
  • Keys are hashed; raw key shown only at creation