Skip to content

Authentication

Public API requests are authenticated with store API keys.

API key format

text
if_PLACEHOLDER_KEY

Keys are generated per store, shown once, stored hashed, and can be rotated or revoked from the dashboard. Each store can have up to 5 active API keys at a time; revoked keys are kept for audit history and do not count toward the active limit.

Preferred:

http
X-Api-Key: if_PLACEHOLDER_KEY

Also supported for autocomplete:

http
Authorization: Bearer if_PLACEHOLDER_KEY

Key lifecycle

ActionEffect
GenerateCreates a new active key and shows the secret once.
RotateReplaces the secret for an existing key. The old value stops working immediately.
RevokeDisables the key while retaining the record for audit history.

Security recommendations

  • Use separate keys for production, staging, and development.
  • Rotate keys when a storefront theme or integration maintainer changes.
  • Do not place privileged server-side credentials in browser code.
  • Treat widget API keys as publishable storefront credentials scoped to search.

Unauthorized responses

json
{
  "message": "Unauthenticated."
}

PLACEHOLDER: Confirm final messages for missing, invalid, expired, and revoked keys.

Replace placeholder content before publishing.