API Keys
API keys authenticate your applications with the TakeTheme API. This guide covers how to create, manage, and secure your API keys.
Creating API Keys
Via Dashboard
- Log in to your TakeTheme Dashboard
- Navigate to Settings → API Keys
- Click Create New Key
- Configure the key:
- Name: A descriptive name (e.g., "Production Backend", "Mobile App")
- Environment: Live or Test
- Scopes: Select the required permissions
- IP Restrictions: Optionally limit to specific IPs
- Click Create Key
- Copy your key immediately — it won't be shown again
Your secret API key is displayed only once when created. Store it securely. If you lose it, you'll need to generate a new key.
Key Structure
TakeTheme API keys follow this format:
tt_{64_character_hex_string}
| Component | Description | Length |
|---|---|---|
tt_ | TakeTheme prefix | 3 |
{64_character_hex_string} | Cryptographic random hex string | 64 |
Example:
tt_a1b2c3d4e5f6789012345678901234567890abcdef1234567890abcdef123456
The key is generated using crypto.randomBytes(32) which produces a 64-character hexadecimal string, ensuring cryptographic security.
Managing Keys
Viewing Keys
In your dashboard, you can view:
- Key name and creation date
- Last used timestamp
- Assigned scopes
- IP restrictions (if any)
For security, only the first and last 4 characters of each key are displayed. The full key is never shown after initial creation.
Rotating Keys
Regular key rotation is a security best practice:
- Create a new API key with the same permissions
- Update your application to use the new key
- Monitor for any issues
- Revoke the old key once confirmed working
Revoking Keys
To immediately disable an API key:
- Go to Settings → API Keys
- Find the key to revoke
- Click the ⋮ menu → Revoke
- Confirm the action
Revoking a key is permanent. Any applications using that key will immediately lose access.
Scopes & Permissions
Configure fine-grained access control with scopes:
Category Scopes
| Scope | Permissions |
|---|---|
read:categories | List, retrieve category details |
write:categories | Create, update, delete categories |
Product Scopes
| Scope | Permissions |
|---|---|
read:products | List, retrieve product details |
write:products | Create, update, delete products |
Order Scopes
| Scope | Permissions |
|---|---|
read:orders | List, retrieve order details |
write:orders | Create, update, cancel orders, update fulfillment, and refunds |
Customer Scopes
| Scope | Permissions |
|---|---|
read:customers | List, retrieve customer profiles |
write:customers | Create, update customer data |
Staff Scopes
| Scope | Permissions |
|---|---|
read:staff | List, retrieve staff members |
write:staff | Create, update, delete staff |
Store Scopes
| Scope | Permissions |
|---|---|
read:store | View store settings and configuration |
write:store | Update store settings, countries, and marketing configuration |
Best Practices
Use Descriptive Names
Name keys based on their purpose:
✓ "Production Web Server"
✓ "Staging Environment"
✓ "Mobile iOS App"
✓ "Inventory Sync Service"
✗ "Key 1"
✗ "Test"
✗ "asdf"
Implement Least Privilege
Only request the scopes your application needs:
// ✓ Good: Only request what you need
const key = await createApiKey({
name: "Inventory Sync",
scopes: ["read:products", "write:inventory"],
});
// ✗ Bad: Requesting unnecessary broad access
const key = await createApiKey({
name: "Inventory Sync",
scopes: ["*"], // Never do this
});
Separate Keys by Environment
Use different keys for each environment:
| Environment | Usage |
|---|---|
| Development | Local development and testing |
| Staging | Pre-production environment |
| Production | Live production with customer data |
Store Keys Securely
# ✓ Good: Environment variable
export TAKETHEME_API_KEY=tt_xxx
# ✗ Bad: Hardcoded in source code
const apiKey = "tt_xxx"; // Never do this
Monitor Key Usage
Regularly review:
- Which keys are actively used
- Last activity timestamps
- Any unusual access patterns
- Failed authentication attempts
Programmatic Key Management
You can manage API keys via the API itself (requires write:api_keys scope):
Create a Key
curl -X POST "https://api.taketheme.com/api/v1/api-keys" \
-H "tt-api-key: tt_xxx" \
-H "Content-Type: application/json" \
-d '{
"name": "New Integration Key",
"scopes": ["read:products", "read:orders"]
}'
List Keys
curl -X GET "https://api.taketheme.com/api/v1/api-keys" \
-H "tt-api-key: tt_xxx"
Revoke a Key
curl -X DELETE "https://api.taketheme.com/api/v1/api-keys/key_123abc" \
-H "tt-api-key: tt_xxx"