Shoprocket Docs
Get started

Uwierzytelnianie

Shoprocket has two API surfaces and two kinds of key. The right one to reach for depends on where your code runs.

Public key vs secret key

Both keys live in your dashboard under Settings, API keys. Each store has its own set. You can rotate either key at any time.

KluczPrefixWhere it runsWhat it can do
Publiczny pk_live_... Browser, mobile app, any untrusted client Read the catalogue, manage a cart, submit checkout
Secret sk_live_... Your server only Everything. Create products, read orders, issue refunds, push inventory

Sending the key

Every request needs an Authorization header. The format is the same for both keys.

Authorization: Bearer sk_live_xxxxxxxxxxxxxxxxxxxxxxxx

Example, fetching a single product with the public key from a storefront build:

curl https://api.shoprocket.io/v3/public/products/{id} \
  -H "Authorization: Bearer pk_live_xxxxxxxxxxxxxxxxxxxxxxxx"

Example, creating a product from your server with the secret key:

curl -X POST https://api.shoprocket.io/v3/private/products \
  -H "Authorization: Bearer sk_live_xxxxxxxxxxxxxxxxxxxxxxxx" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Hand-poured candle",
    "price": 2400,
    "status": "published"
  }'

The cart token (public API only)

Public endpoints that touch the cart also need an X-Cart-Token header. The token is a string you generate once per visitor (a UUID is fine) and keep in a cookie or local storage. Send it with every cart request so the server can match the session without cookies.

X-Cart-Token: 01HXYZABC123...

Rate limits

Rate limits are per-endpoint, per-IP. Each endpoint has its own ceiling tuned to what it does, shown on its page in the API reference. A global fallback of 600 requests per minute applies to anything not more tightly scoped.

Typical ceilings you will see:

  • Read-heavy Public endpoints (product list, cart get, category list): 60 to 120 per minute.
  • Mutation Public endpoints (add to cart, apply discount, submit checkout): 30 to 60 per minute.
  • Sensitive endpoints (send login link, create review): 5 to 10 per minute to deter abuse.

Every response sets standard headers so you can back off intelligently.

X-RateLimit-Limit: 60
X-RateLimit-Remaining: 58
Retry-After: 12    (only sent on 429)

If you hit a 429, wait Retry-After seconds and try again. Do not retry aggressively: the same limiter will reject each attempt and the clock resets on the final hit, not the first.

Rotating keys

To rotate a key, generate a new one in the dashboard, deploy it to your environment, then revoke the old one. New and old keys both work until you revoke, so you can swap over without downtime.

  1. Dashboard, Settings, API keys, Generate new key
  2. Update your environment variable or secret manager
  3. Deploy
  4. Confirm the new key is in use, then click Revoke on the old key

Ostatnio zaktualizowano: 27 kwietnia 2026

Full changelog →

Stuck on something?

Our dev team replies fast. Email us with code samples or open chat for a quick question.

Email dev team

dev@shoprocket.io