API keys. Create, rotate, scope

Generate restricted API keys with the least privilege your integration needs. How to rotate them and what to do when one leaks.

Last updated 2026-05-10

API keys are how external code authenticates against the SellStein REST API. Treat them like passwords.

Create a key

Settings → Developers → API Keys → New key. Two questions:

  • Mode. Sandbox or live
  • Permissions. Full access or restricted

Restricted is what you want for almost everything. Pick the resources the integration touches (e.g. orders:read + customers:read for a reporting tool) and nothing else. The key UI shows exactly what API calls will succeed and fail.

Key formats

  • Live full-access: sk_live_xxxx
  • Live restricted: rk_live_xxxx
  • Sandbox: sk_test_xxxx and rk_test_xxxx

You can tell at a glance which environment a key targets. Restricted keys can never escalate to full. There's no "reveal full key" button.

Where to put it

In server-side code, in a secret manager. Never in:

  • Client-side JavaScript (anyone can read your bundle)
  • Mobile app binaries (decompilable in 30 seconds)
  • Public Git repositories (we scan GitHub for leaked keys and auto-revoke them. Yes, we'll email you when this happens)

Rotate on a schedule

For full-access live keys, rotate every 90 days. For restricted keys with low blast radius, every 6-12 months is fine. The rotation flow: 1. Create a new key 2. Update your app to use it 3. Verify the old key is no longer being used (Settings → Developers → API Keys → Last used) 4. Revoke the old key

Two keys can be active simultaneously, so there's no downtime in the rotation.

When a key leaks

  • Revoke immediately at Settings → Developers → API Keys
  • Audit the last 30 days of API activity (Settings → Developers → API Logs)
  • Look for unfamiliar IPs, unexpected resources, mass exports
  • If you see anything off, contact us. We have raw access logs and can trace deeper

We auto-revoke keys we detect on GitHub, npm, Docker Hub, and pastebin. If that happens we email the account owner with the exact source of the leak.

Testing

Hit GET /v1/account with a key in the Authorization header. If you get back your account info, the key works. If you get 401 with "invalid_api_key", check whitespace and the key's mode (sandbox key against live URL fails).

Related guides

Still need help?

Real humans, real answers. We respond fast and we never use chatbots as the front line.

Email Support