Summary and recommendation
ShareASale exposes an affiliate management API at https://api.shareasale.com/x.cfm using HMAC-SHA256 signed requests.
Authentication requires a per-request signature constructed by concatenating the API token, a current timestamp (yyyyMMddHHmmss), and the action verb, then hashing with the Secret Key - stale timestamps are rejected outright.
All responses are CSV-formatted by default;
there is no JSON or XML output mode, so every consumer must implement a CSV parser.
All state-changing operations (approve, decline, deactivate) use HTTP GET, not POST/PUT/DELETE - design your HTTP client accordingly to prevent caching side effects.
There is no user-creation endpoint;
affiliates self-register and merchants can only approve, decline, or deactivate existing applicants via API.
API quick reference
| Has user API | Yes |
| Auth method | API Token + Secret Key (HMAC-SHA256 signed requests) |
| Base URL | Official docs |
| SCIM available | No |
| SCIM plan required | N/A |
Authentication
Auth method: API Token + Secret Key (HMAC-SHA256 signed requests)
Setup steps
- Log in to your ShareASale merchant or affiliate account.
- Navigate to Account > API Access to generate an API Token and Secret Key.
- For each API request, construct a signature string: concatenate the API Token, current timestamp (yyyyMMddHHmmss), and the action verb, then HMAC-SHA256 hash it using your Secret Key.
- Include the following HTTP headers on every request: x-ShareASale-Date (timestamp), x-ShareASale-Authentication (the HMAC-SHA256 hex digest), and the API Token as a query parameter (token=).
- All requests must be made over HTTPS.
User object / data model
| Field | Type | Description | On create | On update | Notes |
|---|---|---|---|---|---|
| affiliateId | integer | Unique identifier for the affiliate account. | system-assigned | immutable | Primary key for affiliate records. |
| affiliateName | string | Display name of the affiliate. | required | read-only via API | Set during affiliate registration. |
| string | Email address associated with the affiliate account. | required | not updatable via API | Used for account communications. | |
| status | string | Affiliate relationship status (e.g., active, pending, declined, deactivated). | system-assigned | updatable via approve/decline actions | Reflects merchant-affiliate relationship state. |
| website | string | Primary website URL of the affiliate. | optional | read-only via API | Submitted during affiliate application. |
| country | string | Country of the affiliate. | optional | read-only via API | ISO country code. |
| joinDate | date | Date the affiliate joined the program. | system-assigned | immutable | Format: MM/DD/YYYY. |
| commissionRate | decimal | Commission rate assigned to the affiliate. | optional | updatable | Can be set per-affiliate or use program default. |
| tags | string | Merchant-assigned tags for affiliate categorization. | optional | updatable | Comma-separated values. |
Core endpoints
List affiliates in program
- Method: GET
- URL:
https://api.shareasale.com/x.cfm?action=getAffiliateList&token={token}&version=2.8 - Watch out for: Response is CSV-formatted by default, not JSON. Parse accordingly.
Request example
GET /x.cfm?action=getAffiliateList&token=MYTOKEN&version=2.8
Headers:
x-ShareASale-Date: 20240101120000
x-ShareASale-Authentication: <hmac_hex>
Response example
affiliateId,affiliateName,status,email,website
12345,JohnDoe,active,john@example.com,https://example.com
Get affiliate details
- Method: GET
- URL:
https://api.shareasale.com/x.cfm?action=getAffiliate&affiliateId={id}&token={token}&version=2.8 - Watch out for: Returns CSV. Fields may vary by account type (merchant vs. affiliate API access).
Request example
GET /x.cfm?action=getAffiliate&affiliateId=12345&token=MYTOKEN&version=2.8
Headers:
x-ShareASale-Date: 20240101120000
x-ShareASale-Authentication: <hmac_hex>
Response example
affiliateId,affiliateName,status,email,website,country,joinDate
12345,JohnDoe,active,john@example.com,https://example.com,US,01/01/2023
Approve affiliate application
- Method: GET
- URL:
https://api.shareasale.com/x.cfm?action=approveAffiliate&affiliateId={id}&token={token}&version=2.8 - Watch out for: Only available to merchant accounts. Affiliate must be in 'pending' status.
Request example
GET /x.cfm?action=approveAffiliate&affiliateId=12345&token=MYTOKEN&version=2.8
Headers:
x-ShareASale-Date: 20240101120000
x-ShareASale-Authentication: <hmac_hex>
Response example
result,affiliateId
success,12345
Decline affiliate application
- Method: GET
- URL:
https://api.shareasale.com/x.cfm?action=declineAffiliate&affiliateId={id}&token={token}&version=2.8 - Watch out for: Irreversible via API; declined affiliates must reapply.
Request example
GET /x.cfm?action=declineAffiliate&affiliateId=12345&token=MYTOKEN&version=2.8
Headers:
x-ShareASale-Date: 20240101120000
x-ShareASale-Authentication: <hmac_hex>
Response example
result,affiliateId
success,12345
Deactivate affiliate
- Method: GET
- URL:
https://api.shareasale.com/x.cfm?action=deactivateAffiliate&affiliateId={id}&token={token}&version=2.8 - Watch out for: Deactivation removes affiliate from active program; does not delete the account.
Request example
GET /x.cfm?action=deactivateAffiliate&affiliateId=12345&token=MYTOKEN&version=2.8
Headers:
x-ShareASale-Date: 20240101120000
x-ShareASale-Authentication: <hmac_hex>
Response example
result,affiliateId
success,12345
Edit affiliate commission
- Method: GET
- URL:
https://api.shareasale.com/x.cfm?action=editAffiliate&affiliateId={id}&commissionRate={rate}&token={token}&version=2.8 - Watch out for: Not all affiliate fields are editable via API; profile fields like email are read-only.
Request example
GET /x.cfm?action=editAffiliate&affiliateId=12345&commissionRate=15&token=MYTOKEN&version=2.8
Headers:
x-ShareASale-Date: 20240101120000
x-ShareASale-Authentication: <hmac_hex>
Response example
result,affiliateId,commissionRate
success,12345,15
Get pending affiliate applications
- Method: GET
- URL:
https://api.shareasale.com/x.cfm?action=getPendingAffiliates&token={token}&version=2.8 - Watch out for: Returns CSV. Large programs may need pageNumber parameter for pagination.
Request example
GET /x.cfm?action=getPendingAffiliates&token=MYTOKEN&version=2.8
Headers:
x-ShareASale-Date: 20240101120000
x-ShareASale-Authentication: <hmac_hex>
Response example
affiliateId,affiliateName,email,website,applicationDate
67890,JaneDoe,jane@example.com,https://jane.com,01/15/2024
Rate limits, pagination, and events
Rate limits: ShareASale does not publicly document specific rate limit tiers or numeric thresholds in their official API documentation.
Rate-limit headers: No
Retry-After header: No
Rate-limit notes: No official rate limit figures, headers, or Retry-After behavior documented. Excessive requests may result in temporary API access suspension per ShareASale's terms of service.
Pagination method: offset
Default page size: 0
Max page size: 0
Pagination pointer: pageNumber
Webhooks available: No
Webhook notes: ShareASale does not offer native webhook support for user/affiliate management events as documented in official sources.
Alternative event strategy: Poll the API endpoints (e.g., getPendingAffiliates, getAffiliateList) on a scheduled basis to detect status changes.
SCIM API status
- SCIM available: No
- SCIM version: Not documented
- Plan required: N/A
- Endpoint: Not documented
Limitations:
- No SCIM support documented. No IdP (Okta, Entra, Google Workspace, OneLogin) provisioning connectors available.
Common scenarios
Three primary automation scenarios are supported by the current API surface.
First, auto-approving pending affiliate applications: poll getPendingAffiliates, parse the CSV for affiliateId values, then call approveAffiliate per ID - note that approval is irreversible via API.
Second, bulk deactivating affiliates by status audit: paginate getAffiliateList using the pageNumber parameter, filter by criteria such as inactivity, then call deactivateAffiliate per qualifying ID individually, as no bulk endpoint exists.
Third, syncing commission rates from an external system: retrieve the affiliate list, diff commissionRate values against your source of truth, and call editAffiliate with the corrected rate
only commissionRate and a limited field set are writable;
email and name are read-only.
For building an identity graph across your SaaS stack, affiliateId is the stable join key;
email and status fields enable cross-system correlation, but profile mutations must originate outside the API.
Auto-approve pending affiliate applications
- Authenticate by generating HMAC-SHA256 signature with current timestamp and API token.
- Call GET /x.cfm?action=getPendingAffiliates to retrieve all pending applications.
- Parse the CSV response to extract affiliateId values.
- For each affiliateId meeting your criteria, call GET /x.cfm?action=approveAffiliate&affiliateId={id} to approve.
- Log results from each approval response CSV for audit purposes.
Watch out for: All state-changing calls use GET; ensure your HTTP client does not cache GET responses. Approval is irreversible via API.
Bulk deactivate affiliates by status audit
- Call GET /x.cfm?action=getAffiliateList with pageNumber parameter to paginate through all active affiliates.
- Parse CSV responses and filter affiliates meeting deactivation criteria (e.g., no sales in 12 months).
- For each qualifying affiliateId, call GET /x.cfm?action=deactivateAffiliate&affiliateId={id}.
- Verify response CSV shows 'success' for each deactivation.
Watch out for: Deactivation does not delete the affiliate account; they remain in the system but are removed from the active program. No bulk deactivation endpoint exists; each must be called individually.
Sync affiliate commission rates from external system
- Retrieve current affiliate list via GET /x.cfm?action=getAffiliateList.
- Compare commissionRate values in the CSV response against your external system's records.
- For affiliates with mismatched rates, call GET /x.cfm?action=editAffiliate&affiliateId={id}&commissionRate={newRate}.
- Parse response CSV to confirm successful update.
Watch out for: Only commissionRate and a limited set of fields are updatable via API. Core profile fields (email, name) cannot be changed through the API.
Why building this yourself is a trap
The ShareASale API has several non-obvious failure modes worth flagging before integration. Rate limits are entirely undocumented - no numeric thresholds, no rate-limit headers, and no Retry-After behavior; aggressive polling can result in access suspension without prior warning.
The API token scope is hard-bound to account type: merchant tokens cannot reach affiliate-side endpoints and vice versa, so integrations spanning both sides require separate credential sets. No webhooks exist for any affiliate lifecycle event, making scheduled polling the only detection mechanism for status changes.
SCIM is not supported, and no IdP connectors (Okta, Entra ID, Google Workspace, OneLogin) are available, meaning ShareASale sits entirely outside standard identity lifecycle automation. The version query parameter (e.g., version=2.8) must be included on every request; omitting it may return unexpected or malformed results.
Automate ShareASale workflows without one-off scripts
Stitchflow builds and maintains end-to-end IT automation across your SaaS stack, including apps without APIs. Built for exactly how your company works, with human approvals where they matter.
