API Authentication

Complete guide to authenticating API requests and managing API keys.

Frequently Asked Questions

How do I create an API key in the admin panel?

Log in to the admin panel of your installation, navigate to "API Manager", click "Create New API Key", enter a name for your API key (e.g., "My Website Integration"), select permissions (read access for GET requests, write access for POST/PUT/DELETE requests, specific resource permissions), set expiration date (optional), click "Create" and securely copy your API key. API keys are only shown once, so store them securely.

How do I use API keys in API requests?

Include your API key in the Authorization header as: Authorization: Bearer YOUR_API_KEY. Also include Content-Type: application/json header. Example: curl -X GET https://your-domain.com/api/v1/user/products -H "Authorization: Bearer sk_live_abc123xyz..." -H "Content-Type: application/json".

What permissions can I set for API keys?

You can set read permissions (view products, orders, users, files), write permissions (create products, update orders, manage users, upload files), and specific resource permissions. Permissions control what the API key can access. You can update API key permissions later from the API Manager.

How do I authenticate users in my application using the API?

Use the user login endpoint POST /api/v1/user/auth/login with email and password. The response includes a JWT token. Use this token for authenticated requests as: Authorization: Bearer USER_JWT_TOKEN. Implement token refresh for long-lived sessions and handle token expiration gracefully.

What are the security best practices for API keys?

Never expose API keys in client-side JavaScript, store API keys in environment variables, use different API keys for different environments (dev, staging, production), rotate API keys regularly, revoke compromised keys immediately, and use HTTPS for all API requests. For tokens, implement token refresh, store tokens securely (httpOnly cookies or secure storage), handle token expiration gracefully, and implement logout to invalidate tokens.

API Key Authentication

Creating API Keys

  1. Log in to the admin panel
  2. Navigate to "API Manager" from the sidebar
  3. Click "Create New API Key"
  4. Enter a name for your API key (e.g., "My Website Integration")
  5. Select permissions for the API key:
    • Read access (GET requests)
    • Write access (POST, PUT, DELETE requests)
    • Specific resource permissions (products, orders, users, etc.)
  6. Set expiration date (optional)
  7. Click "Create" and securely copy your API key

Important: API keys are only shown once. Store them securely and never expose them in client-side code.

Using API Keys in Requests

Include your API key in the Authorization header:

Authorization: Bearer YOUR_API_KEY_HERE

Example request:

curl -X GET \
  https://your-domain.com/api/v1/user/products \
  -H "Authorization: Bearer sk_live_abc123xyz..." \
  -H "Content-Type: application/json"

API Key Permissions

Permission Types

Read Permissions

  • • View products
  • • View orders
  • • View users
  • • View files

Write Permissions

  • • Create products
  • • Update orders
  • • Manage users
  • • Upload files

Managing Permissions

You can update API key permissions:

  • Go to "API Manager" in admin panel
  • Click on the API key you want to modify
  • Update permissions as needed
  • Save changes

User Authentication

User Login Endpoint

For user-facing applications, use the login endpoint:

POST /api/v1/user/auth/login

{
  "email": "user@example.com",
  "password": "userpassword"
}

Response:
{
  "status": "success",
  "data": {
    "token": "jwt_token_here",
    "user": {
      "id": 1,
      "email": "user@example.com",
      "name": "John Doe"
    }
  }
}

Using User Tokens

After login, use the token for authenticated requests:

Authorization: Bearer USER_JWT_TOKEN

Security Best Practices

API Key Security

  • Never expose API keys in client-side JavaScript
  • Store API keys in environment variables
  • Use different API keys for different environments (dev, staging, production)
  • Rotate API keys regularly
  • Revoke compromised keys immediately
  • Use HTTPS for all API requests

Token Management

  • Implement token refresh for long-lived sessions
  • Store tokens securely (httpOnly cookies or secure storage)
  • Handle token expiration gracefully
  • Implement logout to invalidate tokens

Related Guides