Axisel / docs
Manage keys← Back to Axisel

Authentication

All requests to the Axisel API require a bearer token. Tokens are generated per-store from the admin panel — there is no OAuth flow in v1; merchants paste keys into your app directly.

Bearer token

Pass the key in the Authorization header:

http
Authorization: Bearer sk_live_<32_hex_chars>
Never embed keys in client-side code (browsers, mobile apps). Keys grant full access to the resources their scopes allow. Treat them like passwords.

Scopes

Each key carries a fixed set of scopes assigned at creation. Available scopes:

ScopeGrants
products:readList + read products and categories
products:writeCreate, update, delete products
orders:readList + read orders
orders:writeUpdate order status, tracking, notes
customers:readList + read customers
customers:write(reserved — no write endpoints in v1)
inventory:readRead stock levels
inventory:writeSet stock levels per product and variant
analytics:readRevenue rollups

A request without the required scope returns 403 witherror.code = "forbidden" and lists what was needed vs. granted.

Key rotation

To rotate a key: create a new one with the same scopes, update your app to use it, then revoke the old one. Up to 5 active keys are allowed per store, giving you headroom for rolling rotations.

Errors

http
401 Unauthorized { "error": { "code": "unauthorized", "message": "Invalid API key" } }