API Authentication Guide
API Authentication Guide
Learn how to securely authenticate with the AtoShip API using API keys.
Overview
Authentication Method: AtoShip uses API key authentication for all API requests. Each request must include your API key in the header.
Getting Your API Key
Step-by-Step:
- Log in to AtoShip
- Go to Settings → API
- Click "Generate API Key"
- Copy and save securely
- Key shown only once
API Key Types
Key Levels:
| Type | Access | Use Case |
|---|---|---|
| Live | Production | Real shipments |
| Test | Sandbox | Development |
Authentication Header
Required Header:
Authorization: Bearer YOUR_API_KEY
Example Request:
curl -X GET https://api.atoship.com/v1/rates \
-H "Authorization: Bearer sk_live_abc123..." \
-H "Content-Type: application/json"
API Key Format
Key Structure:
sk_live_xxxxxxxxxxxxxxxxxxxx (Live key)
sk_test_xxxxxxxxxxxxxxxxxxxx (Test key)
Code Examples
JavaScript:
const response = await fetch('https://api.atoship.com/v1/rates', {
method: 'GET',
headers: {
'Authorization': 'Bearer sk_live_abc123...',
'Content-Type': 'application/json'
}
});
Python:
import requests
headers = {
'Authorization': 'Bearer sk_live_abc123...',
'Content-Type': 'application/json'
}
response = requests.get(
'https://api.atoship.com/v1/rates',
headers=headers
)
PHP:
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, 'https://api.atoship.com/v1/rates');
curl_setopt($ch, CURLOPT_HTTPHEADER, [
'Authorization: Bearer sk_live_abc123...',
'Content-Type: application/json'
]);
$response = curl_exec($ch);
Security Best Practices
Protect Your Keys:
- Never expose in client code
- Use environment variables
- Rotate keys periodically
- Use test keys for development
- Monitor API usage
Environment Variables
Store Securely:
# .env file (never commit!)
ATOSHIP_API_KEY=sk_live_abc123...
Access in Code:
const apiKey = process.env.ATOSHIP_API_KEY;
Key Rotation
When to Rotate:
- Suspected compromise
- Employee departure
- Regular security policy
- After security audit
How to Rotate:
- Generate new key
- Update applications
- Test with new key
- Revoke old key
Rate Limiting
Default Limits:
| Plan | Requests/min |
|---|---|
| Starter | 60 |
| Professional | 300 |
| Enterprise | Custom |
Error Responses
Authentication Errors:
{
"error": {
"code": "unauthorized",
"message": "Invalid API key provided",
"status": 401
}
}
Common Errors:
| Status | Code | Meaning |
|---|---|---|
| 401 | unauthorized | Invalid key |
| 403 | forbidden | No permission |
| 429 | rate_limited | Too many requests |
Multiple API Keys
Use Cases:
- Different environments
- Different services
- Team members
- External integrators
Key Permissions
Scope Control:
- Full access (default)
- Read-only
- Specific endpoints
- Custom scopes
IP Restrictions
Optional Security:
- Whitelist IPs
- Block unknown sources
- Audit access logs
Monitoring Usage
Track Activity:
- API call count
- Endpoint usage
- Error rates
- Response times
Revoking Keys
When Needed:
- Settings → API
- Find the key
- Click "Revoke"
- Confirm action
Troubleshooting
Auth Issues:
- Verify key format
- Check header spelling
- Ensure Bearer prefix
- Verify key is active
- Check rate limits
Test Mode
Development Setup:
- Use test API key
- No real charges
- Simulated responses
- Safe to experiment