CK Commerce Kitty Help
Support Open app
How To

Generate an API Key

How to create an API key so you can build your own integrations on top of Commerce Kitty, hand off scripted access to a developer, or connect a tool that talks to the API.

What an API key is

An API key is a long string that authenticates requests to the Commerce Kitty API. Anything you can do in the app, you can do through the API as long as you have a valid key. Keys belong to your account and inherit your account's data and permissions.

Use API keys for:

  • Custom integrations between Commerce Kitty and tools that do not have a built-in plugin
  • Internal scripts that update inventory, products, or orders in bulk
  • Reporting tools that pull data from Commerce Kitty into spreadsheets or BI dashboards
  • Webhooks and automation platforms (when not using a dedicated plugin like Zapier)

Step 1. Open the API Keys page

Click your name in the top right of the navbar and choose API Keys from the dropdown. The page lists every key you have generated, when each was created, and when it was last used.

Step 2. Generate a new key

Click Generate API Key. Give the key a clear name like "Reporting Script" or "Inventory Sync Automation" so you can identify it later. The name is for your own reference.

Click create. Commerce Kitty generates a new key and shows it on the screen.

Copy the key now. The full key is shown only once at creation time. After you leave the page, you can never see it again. If you lose it, you will have to delete it and generate a new one.

Step 3. Store the key safely

Treat API keys like passwords. They are credentials and should be handled with the same care.

  • Store keys in a secrets manager or environment variable, not in code
  • Never commit keys to a git repository, even a private one
  • Never share keys in chat, email, or screenshots
  • Use different keys for different applications so you can revoke them independently

Step 4. Use the key in API requests

Pass the key in the Authorization header of every request to the Commerce Kitty API. The exact format is documented at api.commercekitty.com along with the available endpoints, request and response shapes, and authentication details.

Revoking a key

If a key is compromised or no longer needed, revoke it immediately. Open the API Keys page, find the key, and click Delete. The key stops working as soon as it is deleted. Any application using it will start getting authentication errors and will need to be updated with a new key.

Revoking a key is instant. There is no grace period. Make sure no live application depends on the key before deleting it, or coordinate the deletion with deploying a replacement.

Rotating keys

For long-running integrations, rotate keys periodically (every few months) as a security best practice. The clean way to rotate is:

  1. Generate a new key
  2. Update the application to use the new key
  3. Verify the application still works
  4. Delete the old key

This avoids any downtime during the rotation.

Read more