# API Keys

Some of the routes in the Reflow API handle sensitive private data such as customer emails, phone numbers and addresses. When working with these routes, in order to protect user data, a secret API key has to be included in the request.

# Creating API Keys

To create an API key go to the API Key Settings page and click the Add API Key button. This will open a dialog window where you can enter a name for this key and configure resource access.

After selecting a name and clicking the Save button, the page will refresh and your newly created key will be shown on the screen.

API Key created dialog

This is the only time you will be able to view the entirety of this API key. Make sure to copy the full string and save it somewhere locally.

The first seven characters of the key (the symbols before the dot) are the key prefix. This part of the key will remain visible in the api keys page and can be used to lookup keys.

# Authenticating With API Key

For accessing protected API routes, add the API key in the Authorization header of the request.

Authorization: Bearer <api_key>

Here is an example request that fetches all orders for a specified store.

curl --header 'Authorization: Bearer 19656ea.4329f04826e125f1ee999b53f78' 'https://api.reflowhq.com/v1/stores/267418190/orders/'

You can monitor the usage of all your API keys from the settings page.

Security Tips

  • Always keep your key secure and never expose it publicly. Treat it as you would a password. Don't embed it in your client side JS.
  • If you no longer need an API key we highly suggest you deactivate or delete it to improve your data security.

# Resource Access

With the resource access feature you can limit which store resources a given API key has access to. This enhances the security of your store's data by authorizing API keys only to the specified sections of your store.

Resource access can be set during API key creation or editing. Each API key has its own resource configuration, allowing them to have different levels of access.

If you try to make an authorized request to a resource with a key that does not support that resource type, the request will be denied with a HTTP 401 status code.