| Key | Prefix | Role |
|---|---|---|
| Public API key | mk_ | Identifies your manufacturer account |
| Secret key | msk_ | Authorizes privileged requests |
Required headers
Send both on every request:401:
Keep the secret key server-side
Keep the secret key on a server you control (an edge function / worker) and have your client call that server, not the API directly. The client holds only the public key; your server attaches the secret. The app-starter’sdocs/SECURITY.md
documents this setup.
Rate limits
Each API key has a per-minute rate limit. Exceeding it returns429. Back off
and retry.
Start calling endpoints
Products: list, create, update, delete.

