API Keys
API Keys Overview
Scopes
API Key permissions are governed by read and write scopes. If an API Key has write scopes, it's able to create, update, and delete whatever resources it has scopes for.
For example, an API Key that has read scopes for fulfillments and write scopes for shipments will be able to freely create, purchase, and retrieve all shipments. However, that API Key will not be able to create any fulfillments.
By default when an API Key is created, it has no scopes. This means you need to explicitly add scopes to it. The best practice is to give it the least amount of privileges that your use case requires.
Expiration
PackageX API Keys are long lived, meaning they do not expire. If you want to rotate API Keys there are two solutions.
- Manually rotate keys by creating a new key via the PackageX Dashboard.
- Create an API Key with the scope to write other API Keys. Make sure you keep this key secure!
Please note that even if an API Key has scopes to write other API Keys, it cannot add permissions to newly created keys that it does not have.
From the example above, a new API Key could not be created with fulfillment:write scopes because that key only has fulfillment:read scopes.
Locations
You can further limit your API Key by additionally scoping it to a specific location. This way the API Key can only access resources associated to a specific location that are within the scopes of that API Key.
Using the above example again, if limited to a location, the API Key will not only be able to read fulfillments from only the specified location.
Object IDs
To make the development experience a little easier, all contact objects ids will be prefixed with key_ to make them easy to distinguish.