Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.quickshops.app/llms.txt

Use this file to discover all available pages before exploring further.

Every request to a protected Quickshops Headless API endpoint must include an x-api-key header with a valid headless API key. Keys are issued from your Quickshops dashboard and always begin with qk_. The API never stores your key in plaintext — it is hashed before being looked up.

Creating an API key

1

Open your dashboard

Log in to your Quickshops dashboard.
2

Go to Settings → API Keys

Navigate to Settings in the sidebar, then select API Keys.
3

Create a key

Click Create key, select the appropriate key type, and confirm.
4

Copy the key immediately

The plaintext key is only shown once. Copy it and store it in a secure location such as an environment variable or a secrets manager. You cannot retrieve it again after leaving this screen.

Key types

There are two key types. Choose the one that matches the operations your integration needs to perform.
Key typeRead products & storeCart, checkout, subscriptions
PublicYesNo
SecretYesYes
Use the most restrictive key type that your integration requires. If your storefront only needs to display products, a public key is sufficient. If you are managing carts or initiating checkout, you need a secret key.
Never expose a secret key in client-side code or public repositories. Use secret keys only in server-side environments where they cannot be accessed by end users.

Using your API key

Pass the key in the x-api-key header on every request. 
curl https://api.quickshops.app/v1/products \
  -H "x-api-key: qk_your_key_here"
Your environment configuration should look something like this: 
HEADLESS_API_KEY=qk_...
Then read the variable in your server-side code and include it in each request header. Do not hard-code the key in source files.

Key rotation

Rotate your keys regularly to reduce the blast radius of a potential compromise.
  • Rotate every 30–60 days as a baseline.
  • Issue the new key, deploy your integration with the new key, then immediately revoke the old key.
  • Verify that all services using the old key have been updated before revoking it.
You can revoke a key at any time from Settings → API Keys in your dashboard.

Common authentication errors

Error messageCause
API key requiredThe x-api-key header was not included in the request.
Missing or invalid API keyThe key is missing, malformed, or has been revoked.
Scope ... requiredThe endpoint requires a secret key but a public key was provided.
Rate limit exceededThe key or endpoint has exceeded its request limit. Retry later.
All errors are returned as JSON with status, code, message, and requestId fields. See Overview for the full error format.