Authentication
The API authenticates with a secret API key sent as a Bearer token.
API keys
Create and revoke keys in the dashboard under API Keys. Keys begin with sk_ and are shown only once at creation — store them securely and never expose them in client-side code.
Authorization header
Send your key in the Authorization header on every request:
bash
curl https://your-app.com/api/v1/products \ -H "Authorization: Bearer sk_your_key_here"Alternatively, the key may be passed in an x-api-key header.
Keep API keys server-side. Anyone with a key has full access to your products, payments, and webhooks. Rotate immediately if a key leaks by revoking it in the dashboard.
Unauthorized responses
Requests with a missing or invalid key return 401 Unauthorized:
json
{ "data": null, "error": { "message": "Invalid API key", "code": "unauthorized" }}