Overview & auth
The xengo API is plain REST + JSON. Everything you can do in the console, you can do in code — create and re-point links, bulk-import, pull analytics, render QR codes and manage notification channels.
Base URL: https://api.neon.xengo.ioSpec: https://api.neon.xengo.io/v1/openapi.json (OpenAPI 3.1, public)API access is included from the Pro plan (£39/mo); Business and Enterprise add higher rate limits.
Authentication
Section titled “Authentication”Create keys in the console under API Keys. Keys look like
xgo_live_… / xgo_test_…, are stored hashed, and are shown once at
creation — same one-time model as webhook signing secrets. Up to 25 keys per
account.
Send the key either way:
curl https://api.neon.xengo.io/v1/links \ -H "Authorization: Bearer $XENGO_API_KEY"# orcurl https://api.neon.xengo.io/v1/links \ -H "x-api-key: $XENGO_API_KEY"Scopes
Section titled “Scopes”Each key carries scopes chosen at creation — grant only what the integration needs:
| Scope | Allows |
|---|---|
links:read |
List and fetch links |
links:write |
Create, update, bulk-create, delete links |
analytics |
Tenant-wide and per-link analytics |
qr |
QR rendering |
notifications |
List/create/delete notification channels |
A request outside the key’s scopes returns 403 with
"code": "insufficient_scope".
Your first request
Section titled “Your first request”curl -X POST https://api.neon.xengo.io/v1/links \ -H "Authorization: Bearer $XENGO_API_KEY" \ -H "Content-Type: application/json" \ -d '{ "destination": "https://example.com/offer", "code": "offer24" }'{ "code": "offer24", "domain": "go.xgo.fi", "shortUrl": "https://go.xgo.fi/offer24", "destination": "https://example.com/offer", "status": "active", "tags": {}, "notifyChannels": [], "createdAt": "2026-07-12T14:00:00+00:00"}Ground rules
Section titled “Ground rules”- Same enforcement as the console — plan quotas, safety screening and billing state apply identically to API calls.
- Rate limits are per plan and enforced per minute — over-limit calls get
a proper
429withRetry-After. See Errors & rate limits. - Destinations are screened — a malicious URL is rejected at create time, API or console alike.
