Skip to main content

API keys

API requests are authenticated with a secret token (API key) that belongs to your team. There are no scopes: a key grants full access to the REST API for that team in the environment it was created for (test or live).

Who can create keys

Only team members with the Owner, Admin, or Developer role can create, rename, revoke, enable, or delete API credentials. Read-only members cannot.

Create a key

  1. Sign in to the eCourier dashboard.
  2. Open the correct environment using the Test / Live switch (see Test vs. Live mode):
    • Test — tokens start with pk_test_ and only affect test networks.
    • Live — tokens start with pk_live_ and affect production traffic.
  3. Select the team you are integrating for (tenant).
  4. In the sidebar, go to DevelopersAPI Credentials.
  5. Click New API credential, enter a name (for your own reference, e.g. “ERP production”), and confirm.
  6. Copy the token immediately from the dialog. It is shown only once; eCourier does not store the plain text token after that.

You can create multiple credentials per team and per environment (for example one per service or deployment).

Use the key

Send the token on every request to the API using the Authorization header:

Authorization: Bearer <your-token>

The API is hosted separately from the dashboard at https://api.ecourier.io. Append the paths from the API reference (for example https://api.ecourier.io/v1/...). Whether traffic is test or live is determined only by which token you use (pk_test_… vs pk_live_…), not by the hostname.

Revoke, enable, or delete

On DevelopersAPI Credentials, each row has actions to:

  • Revoke — reject API calls until you Enable the credential again (the token string is unchanged).
  • Delete — remove the credential permanently (create a new credential if you need a new secret).

Security practices

  • Treat tokens like passwords: do not commit them to source control, log them, or expose them in client-side code.
  • Prefer one credential per integration so you can revoke a single system without rotating everything.
  • Use test keys for development and live keys only when you are ready for production traffic.