Skip to main content

Documentation Index

Fetch the complete documentation index at: https://appstleinc-aeca3e0a.mintlify.app/llms.txt

Use this file to discover all available pages before exploring further.

Every Admin API request must carry a valid API key. Keys are created in your Appstle dashboard and scoped to a single Shopify store. There is no OAuth flow — authentication is a single header on every request.

Creating an API key

1

Open API Key Management

Log in to your Appstle admin panel and navigate to Settings → API Key Management.
2

Create a new key

Click Create New Key and enter a descriptive name that identifies the integration — for example, Klaviyo sync, Mobile app, or Internal dashboard. Good names make it easy to audit and revoke keys later.
3

Copy the key immediately

The full key value is shown only once. Copy it and store it in your secrets manager or environment variable before leaving the page. If you navigate away without copying it, you must create a new key.
4

Store the key securely

Add the key to your application as an environment variable:
APPSTLE_API_KEY=apst_your-api-key-here
Never hard-code the key in source code or commit it to version control.
API keys grant full access to your store’s loyalty data. Treat them like passwords. Never expose them in client-side JavaScript, browser extensions, or public repositories.

Using the API key

Include your key in the X-API-Key header on every Admin API request. 
curl -X GET \
  "https://loyalty-admin.appstle.com/api/external/customer-loyalty?shop=your-store.myshopify.com&customer_id=12345" \
  -H "X-API-Key: apst_your-api-key-here"
You can also pass the key as a query parameter, though the header approach is strongly preferred: 
?api_key=apst_your-api-key-here
Create one API key per integration. If a single key is compromised or a tool is decommissioned, you can revoke it without disrupting your other integrations.

Key management

You can create up to 10 active API keys per store. Each key has:
  • A display name you choose at creation time
  • A last-used timestamp so you can identify stale keys
  • Individual revocation — revoking one key does not affect others

Rotating a key safely

1

Create the replacement key

Go to Settings → API Key Management and create a new key with the same or updated name.
2

Update your integration

Deploy the new key value to your application and verify it works.
3

Revoke the old key

Return to the dashboard and revoke the old key. Revocation is immediate.

Partner integration keys

If you are building an app that connects to multiple merchants’ stores, use the Partner Integration Framework instead of asking merchants to share API keys manually. The Partner Framework:
  • Provisions a scoped apst_ token per merchant automatically during a one-click handshake
  • Lets merchants approve, review, and revoke access from their own dashboard
  • Bypasses the paid API plan — merchants are never charged for partner API usage
  • Revokes tokens automatically when a merchant disconnects or uninstalls Appstle
For partner-initiated connections, use your Partner Secret or HMAC-SHA256 signature alongside the merchant’s X-API-Key. See the integration guide for details on the X-App-Key legacy header and the full partner framework walkthrough.
New integrations should use the Partner Integration Framework. The legacy X-App-Key header continues to work for existing partners but is not recommended for new builds.

Error responses

StatusCauseResolution
401 UnauthorizedKey is missing, malformed, or revokedCheck the header name and value; create a new key if revoked
403 ForbiddenKey is valid but lacks the required permissionVerify the key’s permission level in the dashboard
429 Too Many RequestsRate limit exceededImplement exponential backoff before retrying