> ## Documentation Index
> Fetch the complete documentation index at: https://developer.hellgate.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Manage API Keys

> Create and manage API keys for secure server-to-server authentication with Commerce V2

## Overview

For secure communication between your backend and our [API](/products/commerce/v2/api-reference/getting-started), Commerce V2 offers an authentication mechanism via API keys. API keys enable server-to-server authentication, allowing your backend systems to securely interact with Commerce endpoints.

## Multiple API Keys

You can generate any number of API keys for your account. This allows you to separate different concerns if required—for example, using different keys for development, staging, and production environments, or for different applications or services.

Each API key can be assigned a label for easy differentiation and management. Labels help you identify the purpose or environment for each key at a glance.

## Scoped API Keys

Scoped API keys provide restricted access to specific merchants and features. This is particularly useful in multi-merchant scenarios where you need to grant limited access to third parties or partners.

<Info>
  Scoped API keys are only available for accounts using the **Managed Ecosystem** or **Ecosystem** [operating models](/products/commerce/v2/operating-models). If you're using the Primary Merchant or Platform / Marketplace models, scoped API keys are not available.
</Info>

### Ecosystems

The following features are accessible with a scoped API key:

| Endpoint                                                                                                     | Description               |
| :----------------------------------------------------------------------------------------------------------- | :------------------------ |
| [`GET /tokens`](/products/commerce/v2/api-reference/tokens_management/get-tokens)                            | List tokens               |
| [`GET /tokens/{id}`](/products/commerce/v2/api-reference/tokens_management/get-token-details)                | Retrieve token details    |
| [`GET /tokens/{id}/payment-data`](/products/commerce/v2/api-reference/network_tokens/get-payment-data)       | List payment data bundles |
| [`POST /payment-data/{id}/forward`](/products/commerce/v2/api-reference/network_tokens/forward-payment-data) | Forward payment data      |
| [`POST /forward`](/products/commerce/v2/api-reference/compliance_service/forward-card-data)                  | Forward cardholder data   |

### Managed Ecosystems

| Endpoint                          | Description             |
| :-------------------------------- | :---------------------- |
| `POST /payment-data/{id}/forward` | Forward payment data    |
| `POST /forward`                   | Forward cardholder data |

## Managing API Keys from the Dashboard

You can easily create API keys and assign labels to them directly from the Commerce Dashboard. Each API key remains valid until manually revoked, giving you full control over access management.

<Steps>
  <Step title="Navigate to API Keys settings">
    In the Dashboard, navigate to the **Settings** tab and select the **API Keys** tab to view, create new, or delete API keys. You can also access the <a href="https://app.hellgate.io/settings/api-keys" target="_blank" rel="noopener noreferrer">API Keys settings page</a> directly.
  </Step>

  <Step title="Create a new API key">
    Click the **Create API Key** button and assign a descriptive label to help identify the key's purpose.
  </Step>

  <Step title="Copy and store securely">
    After creation, copy the API key immediately. The key will only be displayed once for security reasons.
  </Step>
</Steps>

<Frame>
  <img src="https://mintcdn.com/starfishgmbhcokg/dfhj2Hm84A9ik5S0/images/commerce/v2/guides/add-api-key.png?fit=max&auto=format&n=dfhj2Hm84A9ik5S0&q=85&s=be8a0588835f4f7c021697680f9b7e42" alt="API Keys management interface showing the creation of a new API key in Commerce Dashboard" width="2400" height="630" data-path="images/commerce/v2/guides/add-api-key.png" />
</Frame>

## Using API Keys

API keys are passed via the HTTP header `x-api-key` in your requests to the Commerce API.

```bash theme={null}
curl --header 'X-API-Key: <SECRET>' \
  --request POST 'https://api.hellgate.io/...'
```

<Warning>
  API keys must be handled with care and kept secure. Never hardcode API keys in your source code, but keep them solely on your backend systems. Use environment variables or secure secret management systems to store and access your API keys.
</Warning>

<Tip>
  Rotate your API keys regularly and revoke unused keys to maintain security. If you suspect a key has been compromised, revoke it immediately and create a new one.
</Tip>
