Authentication
Authenticate requests with merchant-issued API keys and understand the merchant-scoping guarantees applied to every request.
Use Authorization: Bearer by default.
The integration API accepts both Authorization: Bearer <secret> and X-API-Key: <secret>. Bearer is the canonical header and should be your default unless an external system only supports custom headers.
Authorization: Bearer rk_live_your_secret_hereX-API-Key: rk_live_your_secret_hereEvery key is restricted to one merchant.
A key can only read and write records that belong to the merchant that created it. Even if another merchant id or object id is guessed, the request is still validated against the key’s merchant scope and will not cross that boundary. Keys can also be narrowed further to specific fulfillment locations for multi-warehouse setups.
Every response includes a request id.
Successful and failed responses both include request_id. If your integration team reports a problem, include that id when troubleshooting.
{
"data": [],
"request_id": "4e43ae45-4fc0-4c3a-b57d-819a9e6b2ea6",
"meta": {
"limit": 50,
"next_cursor": null
}
}