# API Keys

Some of the routes in the Reflow API handle sensitive private data such as customer emails, phone numbers and addresses. When working with these routes, in order to protect user data, a secret API key has to be included in the request.

# Creating API Keys

To create an API key go to the API Key Settings page and click the Add API Key button. This will open a dialog window where you can enter a name for this key.

After selecting a name and clicking the Save button, the page will refresh and your newly created key will be shown on the screen.

API Key created dialog

This is the only time you will be able to view the entirety of this API key. Make sure to copy the full string and save it somewhere locally.

The first seven characters of the key (the symbols before the dot) are the key prefix. This part of the key will remain visible in the api keys page and can be used to lookup keys.

# Authenticating With API Key

For accessing protected API routes, add the API key in the Authorization header of the request.

Authorization: Bearer <api_key>

Here is an example request that fetches all orders for a specified store.

curl --header 'Authorization: Bearer 19656ea.4329f04826e125f1ee999b53f78' 'https://api.reflowhq.com/v1/stores/267418190/orders/'

You can monitor the usage of all your API keys from the settings page.

Security Tips

  • Always keep your key secure and never expose it publicly. Treat it as you would a password. Don't embed it in your client side JS.
  • If you no longer need an API key we highly suggest you deactivate or delete it to improve your data security.