> ## Documentation Index
> Fetch the complete documentation index at: https://developers.appstle.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Authenticate with the Appstle Bundles API

> Create an Appstle API key and pass it in the X-API-Key header for Bundles Admin API requests.

Every Bundles Admin API request must carry a valid API key. Keys are created in the Appstle dashboard and scoped to a single Shopify store.

## Creating an API key

<Steps>
  <Step title="Open API Key Management">
    Log in to your Appstle admin panel and navigate to **Settings → API Key Management**.
  </Step>

  <Step title="Create a new key">
    Click **Create New Key** and enter a descriptive name such as `Bundles integration` or `ERP bundle sync`.
  </Step>

  <Step title="Copy the key immediately">
    The full key value is shown only once. Store it in your secrets manager before leaving the page.
  </Step>
</Steps>

<Warning>
  API keys grant access to store data. Never expose them in client-side JavaScript, browser extensions, mobile apps, or public repositories.
</Warning>

## Using the API key

Include your key in the `X-API-Key` header on every Admin API request.

<CodeGroup>
  ```bash curl theme={null}
  curl -X GET   "https://bundles-admin.appstle.com/api/external/bundle-rules?shop=your-store.myshopify.com"   -H "X-API-Key: apst_your-api-key-here"
  ```

  ```javascript Node.js theme={null}
  const response = await fetch(
    'https://bundles-admin.appstle.com/api/external/bundle-rules?shop=your-store.myshopify.com',
    {
      headers: {
        'X-API-Key': process.env.APPSTLE_API_KEY,
      },
    }
  );
  const bundleRules = await response.json();
  ```

  ```python Python theme={null}
  import os
  import httpx

  response = httpx.get(
      'https://bundles-admin.appstle.com/api/external/bundle-rules',
      params={'shop': 'your-store.myshopify.com'},
      headers={'X-API-Key': os.environ['APPSTLE_API_KEY']},
  )
  print(response.json())
  ```
</CodeGroup>

<Tip>
  Create one API key per integration. If a tool is compromised or decommissioned, you can revoke that key without disrupting other integrations.
</Tip>

## Storefront endpoints

Storefront endpoints power build-a-box and customer-facing bundle flows. They are documented separately from the Admin API because they are meant to be called in storefront contexts rather than backend integrations.
