API Tokens
Create secure API keys to access your store data programmatically and build custom integrations.
Overview
API tokens allow you to:
- Access your store's API endpoints programmatically
- Build custom integrations and automation tools
- Connect third-party applications to your store
- Retrieve analytics and manage resources via API
Each token can be configured with specific permissions (scopes), rate limits, and expiration dates to ensure secure access control.
Creating API Tokens
Step 1: Navigate to API Tokens
- Go to Settings > API Tokens
- Click Create Key
Step 2: Configure Token Settings
Token Name (required)
- Choose a descriptive name (e.g., "Mobile App", "Analytics Dashboard")
- Helps you identify the token's purpose later
Scopes (required)
- Select which resources the token can access
- Choose between read-only or read/write permissions
- See Available Scopes below
Expiration Date (optional)
- Set when the token should expire
- Leave empty for tokens that never expire
- Recommended for enhanced security
Rate Limit (default: 60 req/min)
- Configure requests per minute (1-1000)
- Prevents abuse and manages API usage
- Default limit is 60 requests per minute
Step 3: Save Your Token
Important
After creation, you'll see the API key only once. Copy and store it securely - you won't be able to see it again!
The token will be displayed in this format:
sk_live_1234567890abcdefghijklmnopqrstuvwxyzAvailable Scopes
Configure granular permissions for each API token:
| Scope | Description |
|---|---|
products:read | View products, variants, and pricing |
products:write | Create, update, and delete products |
orders:read | View order details and history |
orders:write | Update order status and details |
customers:read | View customer information |
customers:write | Create and update customers |
analytics:read | Access analytics data (read-only) |
webhooks:read | View webhook configurations |
webhooks:write | Create and manage webhooks |
settings:read | View store settings |
settings:write | Modify store settings |
Permission Strategy
Grant only the minimum permissions needed for each integration. You can create multiple tokens with different scopes for different purposes.
Using API Tokens
Authentication
Include your API token in the Authorization header:
curl https://api.pixlpay.net/v1/store/products \
-H "Authorization: Bearer sk_live_your_token_here"Example Request
const response = await fetch('https://api.pixlpay.net/v1/store/products', {
headers: {
'Authorization': 'Bearer sk_live_your_token_here',
'Content-Type': 'application/json'
}
});
const products = await response.json();For complete API documentation, see the Developer API Reference.
Viewing Token Usage
Track how your API tokens are being used:
- Go to Settings > API Tokens
- Click on any token to view its usage page
Usage Analytics
Metrics Available:
- Total Requests - Overall request count for selected period
- Requests Today - Activity in the last 24 hours
- Average Response Time - API latency performance
- Error Rate - Percentage of failed requests
Request Timeline:
- Visual chart showing request volume over time
- Filter by: Today, Last 7 Days, Last 30 Days, Last Year, All Time
Endpoint Breakdown:
- See which endpoints are called most frequently
- Monitor success rates per endpoint
- Track average response times
Recent API Calls:
- View the last 20 API requests
- Filter by HTTP status code
- See timestamp, method, endpoint, and IP address
Managing Tokens
Rotating Tokens
If a token may have been compromised:
- Go to Settings > API Tokens
- Click Rotate on the token
- A new token value is generated
- Update your applications with the new token
WARNING
The old token value becomes invalid immediately. Make sure to update all applications using this token.
Revoking Tokens
To permanently disable a token:
- Go to Settings > API Tokens
- Click Revoke on the token
- Confirm the action
This action:
- Cannot be undone
- Stops all API requests immediately
- Preserves token usage history for audit purposes
Token Statuses
| Status | Description |
|---|---|
| Active | Token is valid and can make API requests |
| Expired | Token has passed its expiration date |
| Revoked | Token has been manually disabled |
Security Best Practices
Storage
- Never commit tokens to version control
- Use environment variables or secure vaults
- Rotate tokens regularly (every 90 days recommended)
- Revoke unused tokens immediately
Access Control
- Create separate tokens for each application
- Use the principle of least privilege (minimal scopes)
- Set expiration dates for temporary integrations
- Monitor usage for unusual activity
Rate Limiting
- Respect rate limits to avoid throttling
- Implement exponential backoff for retries
- Cache API responses when appropriate
- Use webhooks instead of polling when possible
Never Share Tokens
API tokens provide direct access to your store data. Never share tokens publicly, in screenshots, or with unauthorized parties.
Troubleshooting
401 Unauthorized Error
Possible causes:
- Token is expired or revoked
- Token is missing from the request
- Token format is incorrect (should start with
sk_live_orsk_test_)
Solution: Verify your token is active and properly formatted in the Authorization header.
403 Forbidden Error
Possible causes:
- Token lacks required scope for the endpoint
- Trying to access resources outside your store
Solution: Check that your token has the necessary permissions (scopes) for the API endpoint.
429 Too Many Requests
Possible causes:
- Exceeded the token's rate limit
- Making too many requests too quickly
Solution: Implement rate limiting in your application and add delays between requests.
Token Not Working After Creation
Possible causes:
- Using the token ID instead of the actual token value
- Copy-paste error (extra spaces or missing characters)
Solution: Ensure you copied the complete token value shown immediately after creation.
Rate Limits
Default rate limits by plan:
| Plan | Default Rate Limit | Max Rate Limit |
|---|---|---|
| Free | 60 req/min | 60 req/min |
| Starter | 60 req/min | 120 req/min |
| Growth | 60 req/min | 300 req/min |
| Pro | 60 req/min | 600 req/min |
| Enterprise | 60 req/min | 1000 req/min |
TIP
Contact support if you need higher rate limits for your integration.
Related Features
- API Documentation - Complete API reference and endpoints
- Webhooks - Receive real-time event notifications
- Custom Discord Bot - Build Discord integrations
Need Help?
- View the API Documentation for endpoint details
- Check Error Handling for debugging tips
- Review Rate Limits for usage policies
- See code examples in multiple languages in the Developer Quickstart