Skip to main content

Overview

For secure communication between your backend and our API, Commerce V2 offers an authentication mechanism via API keys. API keys enable server-to-server authentication, allowing your backend systems to securely interact with Commerce endpoints.

Multiple API Keys

You can generate any number of API keys for your account. This allows you to separate different concerns if required—for example, using different keys for development, staging, and production environments, or for different applications or services. Each API key can be assigned a label for easy differentiation and management. Labels help you identify the purpose or environment for each key at a glance.

Scoped API Keys

Scoped API keys provide restricted access to specific merchants and features. This is particularly useful in multi-merchant scenarios where you need to grant limited access to third parties or partners.
Scoped API keys are only available for accounts using the Managed Ecosystem or Ecosystem operating models. If you’re using the Primary Merchant or Platform / Marketplace models, scoped API keys are not available.

Ecosystems

The following features are accessible with a scoped API key:
EndpointDescription
GET /tokensList tokens
GET /tokens/{id}Retrieve token details
GET /tokens/{id}/payment-dataList payment data bundles
POST /payment-data/{id}/forwardForward payment data
POST /forwardForward cardholder data

Managed Ecosystems

EndpointDescription
POST /payment-data/{id}/forwardForward payment data
POST /forwardForward cardholder data

Managing API Keys from the Dashboard

You can easily create API keys and assign labels to them directly from the Commerce Dashboard. Each API key remains valid until manually revoked, giving you full control over access management.
1

Navigate to API Keys settings

In the Dashboard, navigate to the Settings tab and select the API Keys tab to view, create new, or delete API keys. You can also access the API Keys settings page directly.
2

Create a new API key

Click the Create API Key button and assign a descriptive label to help identify the key’s purpose.
3

Copy and store securely

After creation, copy the API key immediately. The key will only be displayed once for security reasons.
API Keys management interface showing the creation of a new API key in Commerce Dashboard

Using API Keys

API keys are passed via the HTTP header x-api-key in your requests to the Commerce API. 
curl --header 'X-API-Key: <SECRET>' \
  --request POST 'https://api.hellgate.io/...'
API keys must be handled with care and kept secure. Never hardcode API keys in your source code, but keep them solely on your backend systems. Use environment variables or secure secret management systems to store and access your API keys.
Rotate your API keys regularly and revoke unused keys to maintain security. If you suspect a key has been compromised, revoke it immediately and create a new one.