M
ModuSell Developers
ExtensionsStorefronts

API Keys

Create and manage API keys from the API keys page.

Security Model

  • The raw API key is shown only once when it is generated.
  • The platform stores a one-way hidden hash, not the raw API key.
  • Store the raw key in a secret manager or protected environment variable.
  • Never commit an API key to source control or place it in client-side code.
  • Send the API key only as an Authorization bearer credential.

Global Keys

API keys belong directly to the developer account and can be generated without creating an integration or choosing a project. Register the account callback URL before starting a connection. Each key can hold separate approved connections to multiple projects; the signed-in ModuSell user chooses each project on the connection screen.

Rotate a key with POST /v1/auth/api-keys/rotate. Rotation returns the replacement raw key once, transfers active project connections to it, and revokes the previous key. Revoke a key without replacing it with POST /v1/auth/api-keys/revoke.