> ## Documentation Index
> Fetch the complete documentation index at: https://developers.appstle.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Authenticate with the Appstle Memberships API

> Create API keys in your Appstle dashboard and pass them via the X-API-Key header. Manage up to 10 keys per store, each independently revocable.

Every Admin API request must include a valid API key in the request header. Keys are created and managed directly in your Appstle dashboard, scoped to a single Shopify store, and can be revoked individually without affecting your other integrations.

## Creating an API key

<Steps>
  <Step title="Open API Key Management">
    Log in to your Appstle admin panel and navigate to **Settings → API Key Management**.
  </Step>

  <Step title="Create a new key">
    Click **Create New Key** and give it a descriptive name that identifies the integration — for example, `Klaviyo Integration`, `Mobile App`, or `Zapier Workflow`.
  </Step>

  <Step title="Copy the key immediately">
    Your new key is displayed **only once**. Copy it now and store it in a secure location such as an environment variable or a secrets manager. You cannot retrieve the full key value again after leaving this screen.
  </Step>

  <Step title="Use the key in your requests">
    Pass the key in the `X-API-Key` header of every Admin API request.
  </Step>
</Steps>

<Warning>
  Never expose your API key in client-side JavaScript, browser applications, or public source code repositories. API keys must only be used in server-side code.
</Warning>

## Sending the API key

Include your key in the `X-API-Key` request header:

<CodeGroup>
  ```bash cURL theme={null}
  curl -X GET \
    "https://membership-admin.appstle.com/api/external/v2/membership-contracts?shop=your-store.myshopify.com&customerId=12345" \
    -H "X-API-Key: apst_your-api-key-here"
  ```

  ```javascript Node.js theme={null}
  const response = await fetch(
    'https://membership-admin.appstle.com/api/external/v2/membership-contracts?shop=your-store.myshopify.com&customerId=12345',
    {
      headers: {
        'X-API-Key': process.env.APPSTLE_API_KEY,
      },
    }
  );
  const data = await response.json();
  ```

  ```python Python theme={null}
  import requests
  import os

  response = requests.get(
      'https://membership-admin.appstle.com/api/external/v2/membership-contracts',
      params={'shop': 'your-store.myshopify.com', 'customerId': '12345'},
      headers={'X-API-Key': os.environ['APPSTLE_API_KEY']},
  )
  data = response.json()
  ```
</CodeGroup>

You can also pass the key as a query parameter using `?api_key=apst_your-api-key-here`, but the header approach is recommended for security.

## Key format

All API keys use the `apst_` prefix. Existing legacy keys created before this prefix was introduced continue to work without any migration required.

```
apst_AbCdEfGhIjKlMnOpQrStUvWxYz123456789012
```

## Key management

You can create up to **10 active API keys** per store. Managing keys from the dashboard gives you fine-grained control over which integrations can access your membership data.

| Action     | How                                                                      |
| ---------- | ------------------------------------------------------------------------ |
| **Create** | Settings → API Key Management → Create New Key                           |
| **Track**  | Each key displays its last-used timestamp so you can identify stale keys |
| **Revoke** | Click Revoke on any individual key — other keys are not affected         |
| **Rotate** | Create a new key, update your integration, then revoke the old key       |

<Tip>
  Create a separate API key for each integration. This way you can revoke access for a single integration without disrupting others — for example, if a third-party tool is compromised or decommissioned.
</Tip>

## Storing keys securely

Store your API key as an environment variable and read it at runtime. Never hardcode it in your source files.

```bash theme={null}
# .env — never commit this file
APPSTLE_API_KEY=apst_your-api-key-here
```

```javascript theme={null}
// Read from environment at runtime
const apiKey = process.env.APPSTLE_API_KEY;
```

## Authentication errors

If your request is rejected due to authentication, you will receive a `401 Unauthorized` response:

```json theme={null}
{
  "error": "Unauthorized",
  "message": "Invalid API key provided",
  "status": 401
}
```

Common causes:

* The key was revoked from the dashboard
* The key was copied with extra whitespace
* The `X-API-Key` header is missing from the request
* You are using a key that belongs to a different store

## Partner integrations

If you are building a product that integrates with Appstle Memberships (a CRM, helpdesk, email platform, or automation tool), you can apply for a **Partner Key**. Partner integrations bypass the paid API plan requirement, making it free for merchants to use your integration.

Partner authentication uses two headers:

```
X-API-Key: <merchant-api-key>
X-App-Key: <your-partner-key>
```

The merchant provides their API key through your integration settings, and Appstle provisions your partner key once during onboarding — it is the same key for all merchants using your integration. To apply, contact [support@appstle.com](mailto:support@appstle.com).

<Info>
  Direct API access (without a partner key) requires an active API plan. Contact [support@appstle.com](mailto:support@appstle.com) for pricing details.
</Info>
