Everyone

API Tokens

How clients create and manage API tokens to access the Commerce REST API programmatically.

Last updated 1776211200

Overview

API tokens allow clients to authenticate against the Commerce REST API without using their password. Tokens are SHA-256 hashed before storage — the plaintext token is shown only once at creation time. Each token can be given a descriptive name and revoked independently.

Accessing API Tokens

Go to Client → Profile → API Tokens tab (/client/api-tokens).

The page shows a list of all active tokens with their name, creation date, and last-used date. Tokens are never shown in plaintext after initial creation.

Creating a Token

  1. Enter a descriptive Token name (e.g. deploy-script, monitoring-bot, whmcs-migration).
  2. Click Create Token.
  3. The new plaintext token appears in a green highlighted box at the top of the page.

[!IMPORTANT] Copy the token immediately. Once you navigate away or refresh the page, the plaintext token cannot be retrieved. If you lose it, you must revoke the token and create a new one.

The token format is a long random string (e.g. opt_live_abc123...). Store it in a secrets manager or environment variable — never commit it to source control.

Using a Token

Include the token as a Bearer token in the Authorization header of every API request:

Authorization: Bearer {your-token-here}

Example with curl:

curl https://your-domain.com/api/v1/me \
  -H "Authorization: Bearer opt_live_abc123..."

All API requests must be made over HTTPS. HTTP requests will be rejected.

Available API Endpoints

The following endpoints are available to clients via API token authentication:

Method Endpoint Description
GET /api/v1/me Authenticated client profile
GET /api/v1/services List all services
GET /api/v1/services/{id} Service detail
GET /api/v1/invoices List all invoices
GET /api/v1/invoices/{id} Invoice detail
GET /api/v1/orders List all orders
GET /api/v1/orders/{id} Order detail
GET /api/v1/domains List all domains
GET /api/v1/domains/{id} Domain detail

[!TIP] All list endpoints support pagination via ?page=N and ?per_page=N query parameters. Responses follow a consistent JSON structure with a data array and meta pagination object.

Token Permissions

All API tokens created by a client have the same permission scope — read access to that client's own data. Tokens cannot:

  • Access other clients' data
  • Create or modify orders or invoices via the API
  • Access the admin panel or any staff-level endpoints

If you need write access or administrative API access, contact your hosting provider. Admin-level API tokens are separate and managed from the admin panel.

Revoking a Token

To revoke a token:

  1. On the API Tokens tab, locate the token you want to revoke.
  2. Click the Revoke button next to it.
  3. A password confirmation modal appears — enter your current password.
  4. Click Confirm Revoke.

The token is immediately invalidated. Any application using it will receive a 401 Unauthorized response on its next request.

[!TIP] If you suspect a token has been compromised, revoke it immediately and create a replacement. The last-used timestamp on the token list can help you identify whether a token has been used unexpectedly.

Token Security Best Practices

  • Give each token a meaningful name that identifies what uses it.
  • Create one token per application or script — do not share a single token across multiple systems.
  • Rotate tokens periodically, especially for production integrations.
  • Never expose tokens in client-side JavaScript or public repositories.

Related Articles

Previous
← Two-Factor Authentication