API Keys

How API keys work

An API key is a long random string you send in the Authorization header of a request. Commerce Kitty looks up the key, resolves the user it belongs to, and runs the request with that user's permissions. If the user cannot edit orders through the web UI, an API key tied to that user cannot edit orders either.

This design means you can scope a key by picking the right user. Create a dedicated "Integration" user in a limited user group, then generate the API key against that user. The key will only be able to do what that user can do.

Generating a key

Go to Configuration, then API Keys, and click add. Give the key a name you will recognize later, pick which user it belongs to, and save. Commerce Kitty displays the key value once. Copy it immediately and store it in your secrets manager. You will not be able to see it again.

Using a key

Send the key in the Authorization header as a bearer token:

Authorization: Bearer YOUR_API_KEY_HERE

See the API documentation for endpoint details.

Revoking a key

If a key is leaked, exposed in a public repo, or no longer needed, revoke it from the API Keys list. Revocation is immediate. Any request using that key fails right away.

API key fields

Name

A label to help you remember what the key is for. Use descriptive names like "Zapier production" or "Nightly inventory sync script".

User

The user this key acts as. Permissions are inherited from this user and their group.

Enabled

Whether the key is active. Disable to pause use without deleting the record.

Security tips

• Store keys in a secrets manager, not in source control. Never commit a key to git.
• Use a separate key for each integration so you can revoke one without breaking the others.
• Rotate keys on a regular schedule and whenever a teammate with access leaves.
• Give each key the least permissions it needs by choosing a limited user.

Read more

• About the API
• Users
• User Groups