Authentication
Developer Guide
API Keys
ShipRateAPI uses API key authentication. Every request to the API must include your key in the x-api-key HTTP header. There is no OAuth flow or token exchange — the key is passed directly on each request.
POST /api/v1/quotes
Content-Type: application/json
x-api-key: sk_live_xxxxxxxxxxxxxxxxxxxxKeep your key secret. Never expose it in client-side JavaScript, public repositories, or frontend code. All ShipRateAPI plugin integrations call the API server-side so the key never reaches the browser.
Generating a key
- 1Log in to the ShipRateAPI admin portal
- 2Navigate to Settings → API Keys
- 3Click Generate New Key and give it a descriptive name (e.g. Magento Production)
- 4Copy the key immediately — it is only shown in full once
Key scoping
Each API key is tied to a single store within your ShipRateAPI account. A key for Store A cannot be used to fetch rates for Store B. This means:
- If you run multiple storefronts, generate a separate key for each
- Rate rules, carriers, and zones are all resolved in the context of the key's store
- Revoking a key instantly disables all requests using it — useful for offboarding or security incidents
Error responses
| HTTP status | Cause |
|---|---|
401 Unauthorized | Missing or invalid x-api-key header |
403 Forbidden | Key is valid but has been revoked or suspended |
429 Too Many Requests | Rate limit exceeded for the plan — see your plan's monthly request allowance |