Authentication
Public API requests are authenticated with store API keys.
API key format
text
if_PLACEHOLDER_KEYKeys are generated per store, shown once, stored hashed, and can be rotated or revoked from the dashboard. Each store can have up to 5 active API keys at a time; revoked keys are kept for audit history and do not count toward the active limit.
Header
Preferred:
http
X-Api-Key: if_PLACEHOLDER_KEYAlso supported for autocomplete:
http
Authorization: Bearer if_PLACEHOLDER_KEYKey lifecycle
| Action | Effect |
|---|---|
| Generate | Creates a new active key and shows the secret once. |
| Rotate | Replaces the secret for an existing key. The old value stops working immediately. |
| Revoke | Disables the key while retaining the record for audit history. |
Security recommendations
- Use separate keys for production, staging, and development.
- Rotate keys when a storefront theme or integration maintainer changes.
- Do not place privileged server-side credentials in browser code.
- Treat widget API keys as publishable storefront credentials scoped to search.
Unauthorized responses
json
{
"message": "Unauthenticated."
}PLACEHOLDER: Confirm final messages for missing, invalid, expired, and revoked keys.