Authentication
The TakeTheme API uses custom header authentication. All API requests must include your API key in the tt-api-key header.
Authentication Header
Include your API key in every request using the tt-api-key header:
tt-api-key: YOUR_API_KEY
Important
TakeTheme does not use the standard tt-api-key: header. You must use the custom tt-api-key header.
Making Authenticated Requests
cURL Example
curl -X GET "https://api.taketheme.com/api/v1/product" \
-H "tt-api-key: tt_abc123xyz789" \
-H "Content-Type: application/json"
JavaScript Example (with Axios)
import axios from "axios";
const client = axios.create({
baseURL: "https://api.taketheme.com/api/v1",
headers: {
"tt-api-key": process.env.TAKETHEME_API_KEY,
"Content-Type": "application/json",
},
});
const response = await client.get("/product");
const data = response.data;
Python Example
import requests
import os
headers = {
'tt-api-key': os.environ.get('TAKETHEME_API_KEY'),
'Content-Type': 'application/json'
}
response = requests.get(
'https://api.taketheme.com/api/v1/product',
headers=headers
)
data = response.json()
.NET Example
using System.Net.Http;
using System.Net.Http.Headers;
var client = new HttpClient();
client.BaseAddress = new Uri("https://api.taketheme.com/api/v1/");
client.DefaultRequestHeaders.Add("tt-api-key", Environment.GetEnvironmentVariable("TAKETHEME_API_KEY"));
var response = await client.GetAsync("product");
var data = await response.Content.ReadAsStringAsync();
API Key Types
TakeTheme provides two types of API keys:
| Key Type | Prefix | Usage |
|---|---|---|
| Live Keys | tt_ | Production environment with real data |
| Test Keys | tt_ | Sandbox environment for development |
Best Practice
Always use test keys during development to avoid affecting production data.
Security Best Practices
Keep Your Keys Secret
- Never expose API keys in client-side code, public repositories, or version control
- Use environment variables to store API keys in your applications
- Rotate keys periodically if you suspect they may have been compromised
Environment Variables
Store your API key in an environment variable:
# .env file
TAKETHEME_API_KEY=tt_abc123xyz789
Then access it in your code:
// Node.js
const apiKey = process.env.TAKETHEME_API_KEY;
# Python
import os
api_key = os.environ.get('TAKETHEME_API_KEY')
IP Allowlisting
For enhanced security, you can restrict API key usage to specific IP addresses:
- Go to Dashboard → Settings → API Keys
- Click on the key you want to configure
- Add allowed IP addresses or CIDR ranges
- Save your changes
Authentication Errors
| Status Code | Error | Description |
|---|---|---|
401 | unauthorized | Missing or invalid API key |
401 | api_key_expired | The API key has been revoked or expired |
403 | forbidden | The API key doesn't have permission for this action |
403 | ip_not_allowed | Request from non-allowlisted IP address |
Example Error Response
{
"error": {
"type": "unauthorized",
"message": "Invalid API key provided",
"code": "INVALID_API_KEY",
"status": 401
}
}
Token Scopes
API keys can be configured with specific scopes to limit their access:
| Scope | Description |
|---|---|
read:products | Read access to products |
write:products | Create, update, delete products |
read:orders | Read access to orders |
write:orders | Create, update orders |
read:customers | Read access to customer data |
write:customers | Create, update customer data |
read:analytics | Access to analytics and reports |
write:webhooks | Configure webhook subscriptions |
info
Request only the scopes your application needs. This follows the principle of least privilege and minimizes security risks.