There are 2 types of API keys that you can generate:
Public(aka publishable) keys are prepended by
pk_and are meant to be used in client-side code. For example, for use with our JS, iOS, or Android SDKs.
Secretkeys are prepended by
sk_and are meant to be used in secure environments, such as during server-to-server communication with our API.
The vast majority of API endpoints require authentication through a
secret key. Only certain endpoints can be authenticated through a
public key. Endpoints that can be authenticated through a
public key can also be authenticated through a
Be very careful not to expose
secretkeys in client-side code
If you find that you have accidentally exposed a
secretkey, immediately rotate and delete the key!
The first thing we need to do is to generate API keys to access the API. Please log in to Shipped Suite Admin and click on "Administration -> API Keys" on the left hand menu. Click on the "Generate Key" button and then on the next page, give your new API key a name (e.g. "JS publishable key") and select "Public" in the dropdown. Click on "Create".
You have just generated your first
public API key. Write this token down and enter it into your application's credentials store.
Repeat the process but change "Public" to "Secret" to generate a
Secret keys will only be shown once
Please note that if you create a new API key of type
secret, the token will only be displayed once, immediately after creation. Is is not possible to retrieve the token after this, so please take note of it.
All API endpoints that require authentication require the API key token to be passed in the
Authorization header. For example, using curl:
curl "api_endpoint_here" \ -H "Authorization: pk_production_a238d34b83d3e68628704c9b91d82bd18bd20a48cfe21bc8f2065f23af897a3f"
The following are our recommendations and reminders for managing your API keys:
- Never use a
secretkey in client-side code (e.g. your website frontend, your mobile apps, etc.)
- Periodically rotate your API keys by creating new ones in your Shipped Suite Admin and swapping them out in your code
- Delete any unused/rotated API keys
- While we allow you to create any number of API keys, we recommend only keeping API keys that are actively in use
- We recommend giving your keys useful names that relate to the codebase that is employing the key
Updated over 1 year ago