API Keys
API keys allow external applications — and your own storefront — to interact with your store's data. There are two types: Publishable (safe for client-side) and Secret (server-side only).
Key types
| Type | Safe to expose | Used for |
|---|---|---|
| Publishable key | Yes (in browser) | Storefront product browsing, cart, checkout |
| Secret key | No — keep private | Server-side admin operations |
Where keys are used
Publishable key: Your storefront's environment variables contain the publishable key. It's sent with every storefront API request to identify your store to the backend. It's visible in browser requests — that's intentional and safe.
Secret key: Used by server-side scripts, webhooks, and admin API calls. Never include in frontend code or commit to a public repository.
Viewing your keys
Go to Settings → API Keys in the admin panel.
You'll see:
- All publishable keys (with their labels and creation dates)
- A button to create new keys
- A "Revoke" option for each key
Secret keys are only shown once at creation time and cannot be retrieved afterward.
Creating a new API key
If you accidentally expose a secret key (e.g. commit it to a public repository), revoke it immediately and create a new one. Treat it like a compromised password — assume it's been seen.
Revoking a key
Open the key in Settings → API Keys and click Revoke. Any system using the revoked key will immediately lose access. Make sure you update all dependent services before revoking a production key.
Your storefront's publishable key
Your storefront was configured with a publishable key at setup time. This key is stored in your storefront's environment variables. If you ever need to rotate it (e.g. security audit):
- Create a new publishable key in Settings → API Keys
- Update your storefront's environment variable with the new key
- Redeploy the storefront
- Revoke the old key only after confirming the new one is working