API Keys
Merchants create, scope, revoke, and operationally rotate integration credentials from the merchant portal.
Keys are merchant-managed and shown once.
When a merchant creates a key, Rarely displays the secret once and stores only a hash. Merchants can label keys for systems like warehouses or analytics tools, optionally restrict them to specific fulfillment locations, and revoke them at any time.
Scopes are capability-based, not role-based.
Instead of broad access roles, keys are granted explicit capabilities like orders.read, inventory.write, or fulfillments.write. That keeps integrations narrowly scoped to the actions they actually need.
Rotate operationally: create a new key, update the external system, revoke the old key.
V1 does not expose a dedicated rotate endpoint. The safe rotation workflow is to create a replacement key with the same scopes, update the downstream system, validate traffic, then revoke the old key.