Authentication
Every API request must include a Bearer token in the Authorization header. The token is your API key and secret separated by a colon.
Header Format
Authorization: Bearer {api_key}:{api_secret}Examples
curl
curl -H "Authorization: Bearer ccapi_abc123def456:secret789xyz"
https://example.com/api/v1/productsPHP
$ch = curl_init('https://example.com/api/v1/products');
curl_setopt_array($ch, [
CURLOPT_HTTPHEADER => ['Authorization: Bearer ccapi_abc123:secret789'],
CURLOPT_RETURNTRANSFER => true,
]);
$response = json_decode(curl_exec($ch), true);
curl_close($ch);
if ($response['success']) {
foreach ($response['data'] as $product) {
echo $product['name'] . ' — £' . $product['price'] . "
";
}
}JavaScript (fetch)
const response = await fetch('https://example.com/api/v1/products', {
headers: {
'Authorization': 'Bearer ccapi_abc123:secret789'
}
});
const { success, data } = await response.json();
if (success) {
data.forEach(p => console.log(p.name, p.price));
}Python
import requests
headers = {'Authorization': 'Bearer ccapi_abc123:secret789'}
r = requests.get('https://example.com/api/v1/products', headers=headers)
data = r.json()
if data['success']:
for product in data['data']:
print(f"{product['name']} — £{product['price']}")Security Notes
- HTTPS is required — plain HTTP requests are rejected with
403. - API secrets are bcrypt-hashed in the database and cannot be retrieved after creation.
- If a secret is compromised, use Regenerate in the admin panel to issue new credentials immediately.
- Optional IP whitelisting restricts which addresses can use a key.
- Each API key inherits the permission ceiling of its linked admin user.