Authentication
All requests to the Axisel API require a bearer token. Tokens are generated per-store from the admin panel — there is no OAuth flow in v1; merchants paste keys into your app directly.
Bearer token
Pass the key in the Authorization header:
httpAuthorization: Bearer sk_live_<32_hex_chars>
⚠Never embed keys in client-side code (browsers, mobile apps). Keys grant full access to the resources their scopes allow. Treat them like passwords.
Scopes
Each key carries a fixed set of scopes assigned at creation. Available scopes:
| Scope | Grants |
|---|---|
products:read | List + read products and categories |
products:write | Create, update, delete products |
orders:read | List + read orders |
orders:write | Update order status, tracking, notes |
customers:read | List + read customers |
customers:write | (reserved — no write endpoints in v1) |
inventory:read | Read stock levels |
inventory:write | Set stock levels per product and variant |
analytics:read | Revenue rollups |
A request without the required scope returns 403 witherror.code = "forbidden" and lists what was needed vs. granted.
Key rotation
To rotate a key: create a new one with the same scopes, update your app to use it, then revoke the old one. Up to 5 active keys are allowed per store, giving you headroom for rolling rotations.
Errors
http401 Unauthorized { "error": { "code": "unauthorized", "message": "Invalid API key" } }