API Tokens
API tokens allow external applications to access your store's data securely. This guide covers creating, managing, and securing your API tokens.
Creating an API Token
Via Dashboard
- Log into your store dashboard at
https://yourstore.pixlpay.net - Navigate to Settings > API Tokens
- Click Create API Token
- Fill in the details:
- Name: Descriptive name (e.g., "Mobile App", "Analytics Dashboard")
- Description: What this token is used for
- Rate Limit: Maximum requests per minute (default: 60)
- Expiration: Optional expiration date
- Scopes: Select required permissions
- Click Generate
- Copy the token immediately - it's only shown once!
Important
Store your token securely. You cannot view the full token again after creation.
Token Scopes
Select only the scopes your integration needs:
Product Scopes
| Scope | Description |
|---|---|
products:read | Read product information, inventory, pricing |
products:write | Create, update, and delete products |
Order Scopes
| Scope | Description |
|---|---|
orders:read | View order details and customer information |
orders:write | Fulfill orders, update order status |
Customer Scopes
| Scope | Description |
|---|---|
customers:read | View customer profiles and purchase history |
customers:write | Update customer information |
Analytics Scopes
| Scope | Description |
|---|---|
analytics:read | Access revenue reports and sales analytics |
Webhook Scopes
| Scope | Description |
|---|---|
webhooks:read | View webhook endpoints and delivery logs |
webhooks:write | Create, update, and delete webhook endpoints |
Settings Scopes
| Scope | Description |
|---|---|
settings:read | View store settings |
settings:write | Update store settings |
Managing Tokens
View Token Details
Click on any token in the dashboard to view:
- Token name and description
- Active scopes
- Rate limit configuration
- Last used timestamp
- Usage statistics
- Recent API calls
Usage Statistics
Monitor how each token is being used:
- Total API calls: Lifetime request count
- Calls today: Requests in the last 24 hours
- Top endpoints: Most frequently accessed resources
- Success rate: Percentage of successful requests
- Average response time: Performance metrics
Rotate Token
If you suspect a token has been compromised:
- Click on the token in your dashboard
- Click Rotate Token
- A new token will be generated
- The old token is immediately invalidated
- Copy the new token and update your integration
Revoke Token
To permanently disable a token:
- Click on the token
- Click Revoke Token
- Confirm the action
- The token is immediately deactivated
This action cannot be undone
Revoking a token will immediately break any integrations using it.
Update Token Settings
You can update these settings without changing the token:
- Name and description
- Rate limit
- Scopes (add or remove permissions)
- Expiration date
Common Use Cases
1. Mobile App Integration
Recommended scopes: products:read, orders:read, customers:read
For displaying products and orders in a mobile app.
2. Custom Analytics Dashboard
Recommended scopes: analytics:read, orders:read, products:read
For building custom reports and visualizations.
3. Order Fulfillment System
Recommended scopes: orders:read, orders:write
For automatically processing and fulfilling orders.
4. Inventory Management
Recommended scopes: products:read, products:write
For syncing inventory with external systems.
5. Customer Portal
Recommended scopes: customers:read, orders:read
For allowing customers to view their orders and account.
6. Webhook Management
Recommended scopes: webhooks:read, webhooks:write
For programmatically managing webhook endpoints.
Best Practices
Security
- Never share tokens publicly - Treat API tokens like passwords
- Use specific scopes - Only grant the minimum permissions needed
- Set expiration dates - For temporary integrations or testing
- Rotate regularly - Change tokens periodically for security
- Monitor usage - Review API call logs for suspicious activity
Organization
- Use descriptive names - "Production Mobile App" not "Token 1"
- One token per integration - Don't reuse tokens across different apps
- Document token usage - Keep track of where each token is used
- Set appropriate rate limits - Prevent accidental API abuse
Rate Limits
Configure rate limits based on your integration's needs:
| Use Case | Recommended Limit |
|---|---|
| Low-frequency polling | 10-30 req/min |
| Real-time dashboard | 60-120 req/min |
| Bulk operations | 120-300 req/min |
| High-volume sync | 300+ req/min |
Troubleshooting
Token Not Working
- Check token is active - Verify status in token management
- Check expiration - Token may have expired
- Verify scopes - Ensure token has required permissions
- Check rate limit - You may have exceeded requests per minute
- Verify subdomain - Token is tenant-specific
Rate Limit Exceeded
If you see "429 Too Many Requests":
- Check current rate limit in token settings
- Implement request throttling in your application
- Increase rate limit if needed
- Wait for rate limit window to reset (shown in headers)
Permission Denied
If you see "403 Forbidden":
- Check which scopes are assigned to the token
- Add required scopes in token settings
- Ensure you're accessing the correct endpoint
Related
- Authentication - How authentication works
- Quick Start - Make your first API call