API Key Authentication
All API endpoints require authentication using an Access Token passed in thex-api-key request header.
Requests without a valid token or with an incorrect header name will return a 401 Unauthorized response.
Example Request
Replace
YOUR_ACCESS_TOKEN with your actual token provided by Lokki.How to Obtain an Access Token
To obtain an access token, please contact your Lokki representative. They will guide you through the partnership process and provide the necessary credentials for both Staging and Production environments.Environments
Access tokens are environment-specific. A token generated for Staging will not work on Production, and vice-versa.| Environment | Example Token Format |
|---|---|
| Staging | lokki_sk_test_... |
| Production | lokki_sk_live_... |
Key Scopes
API keys are scoped to limit access based on your partnership agreement. These scopes are defined at three levels:- Domain level: Access to specific data sets (e.g.,
stores,items). - Action level: Permission to perform specific actions (
read,write). - Route level: Access to specific HTTP methods (e.g.,
GET,POST).
If you receive a
403 Forbidden error, your token might not have the required scope for that specific endpoint.Security Best Practices
- Keep Your Token Secret: Treat your access token like a password. Never expose it in client-side code (browsers, mobile apps) or public repositories.
- Use Environment Variables: Store your tokens in secure environment variables or a secret management system.
- Rotate Keys: If you suspect a token has been compromised, contact your Lokki representative immediately to revoke it and issue a new one.