Authentication

Developer dashboard authentication and public API authentication serve different purposes.

• Developer account authentication signs a developer into the dashboard to manage callback settings and credentials.
• API authentication authorizes Extension or Storefront requests through a global API key and saved project connections.

Public API requests must not use a developer dashboard session.

Authentication Flow

1. Create a developer account from the documentation header.
2. Log in to the developer dashboard.
3. Register the developer account callback URL.
4. Generate a global API key.
5. Create a connection request with a random state value.
6. Send the user to the returned ModuSell connection URL.
7. The user logs in, chooses a project, and approves access.
8. Receive a one-time authorization code at the registered redirect URL.
9. Verify state, then complete the connection with the code and the same API key.
10. Send that API key when requesting data for the connected project.

Developer account + callback URL -> Global API key -> Connection URL -> ModuSell login -> Project selection -> Saved connection

Credential Boundaries

• Dashboard sessions authorize only private developer-dashboard actions.
• API keys belong to the developer account and are not assigned to one integration or project.
• Each approved project is stored as a separate connection under the API key, so one key can connect to multiple projects.
• Connected-project requests use Authorization: Bearer YOUR_API_KEY; no additional reusable project credential is issued.
• API keys are stored as one-way hashes. Raw keys are returned only when created or rotated.

Never send a developer dashboard session token to a public API operation.