API: authentication

Authenticating to Snipcart's REST API is done via the HTTP basic authentication scheme.

You first have to create a secret API Key from your merchant dashboard. You can create as many secret keys as you want.

You can create keys in Test or Live mode. Each key will give you the permissions to make requests for the specified mode only. A key created in Test mode will not be valid to get your Live data.

These keys must remain private

Anyone holding these keys will be able to access all your account information. That means they should not:

  • Appear in your source code
  • Appear in your compiled front-end assets (HTML, JavaScript)
  • Be sent over insecure channels (email, chat platforms, etc.)

Credentials format

As specified by RFC 7617, credentials must be provided as base64 encoding of the "[username]:[password]" string. Depending on the tooling you use to make HTTP requests, you may have to base64 encode your credential string in your own code.

In our case, the API key must be passed as the username, and no password must be provided. For example, if your api key is "secret", then you'd have to encode "secret:" into a base64 string. The trailing single colon character is important.

Example request (bash)

curl -H "Accept: application/json" \
  https://app.snipcart.com/api/orders \

Example request (JavaScript)

const secret = "YOUR_SECRET_API_KEY" + ":"

const request = await fetch('https://app.snipcart.com/api/orders', {
    headers: {
        'Authorization': `Basic ${btoa(secret)}`,
        'Accept': 'application/json'

const result = await request.json()

Was this article helpful?