Documentation
Feedback
Guides
API Reference

Guides
API usage
Authentication
API authentication using application keys

Application keys (appKey) are credentials used to authenticate requests to VTEX APIs. Store administrators can create multiple application keys that may be used, for example, for different integrations. Read Generating and managing application keys to learn how to create these credentials.

An application key includes specific permissions, based on License Manager roles and resources selected when creating or editing the application key. Read Managing app key permissions for more details.

Each appKey you create has an associated appToken. The appKey-appToken pair can be used in API requests to authorize interactions with VTEX services if they have roles with the required resources.

Application keys are usually the best way to authenticate API calls in your integrations or in self-hosted backend requests in general. However, frontend requests should be authenticated with user tokens.

Do not use application keys in your client-side code. This makes your store vulnerable to attacks. Follow the Best practices for using application keys.

Usage

Use the appKey and appToken credential pair to authenticate API requests by sending their values in these HTTP headers:

Header keyValue
X-VTEX-API-AppKey{appKey}
X-VTEX-API-AppToken{appToken}

See an example Get order request:


_10
curl --location --request GET 'https://apiexamples.vtexcommercebeta.com.br/api/oms/pvt/orders/:orderId' \
_10
--header 'X-VTEX-API-AppKey: vtexappkey-example-YSWQFZ' \
_10
--header 'X-VTEX-API-AppToken: eyJhbGciOiJFUzI1NiIsImtpZCI6IjA1MTZFN0IwMDNFODMxRTg0QkFDOTg2NzBCNUM2QTRERTlBN0RFNkUiLCJ0eXAiOiJqd3QifQ.eyJzdWIiOiJwZWRyby5jb3N0YUB2dGV4LmNvbS5iciIsImFjY291bnQiOiJhcHBsaWFuY2V0aGVtZSIsImF1ZGllbmNlIjoiYWRtaW4iLCJzZXNzIjoiZjU3YjMyMGItMWE3YS00YzlkLWJkNDMtZTE4NDdhYmE1MTE1IiwiZXhwIjoxNjE2NzY3Mjc4LCJ1c2VySWQiOiJmYjU0MmU1MS01NDg4LTRjMzQtOGQxNy1lZDhmY2Y1OTdhOTQiLCJpYXQiOjE2MwerY2ODA4NzgsImlzcyI6InRva2VuLWVtaXR0ZXIiLCJqdGkiOiJmYTI0YWJiOC03Y2E5LTQ3NjUtYmYzNC1kMmvU5YTgzYjYxZmUifQ.23rn-2dEdAAYXJX2exrxDEdbieyKWsVKABeSUNeFWyhz7xRd7d5EcxwiMLjM3bRaBOKrAA9Op7ocn89c45qQ' \
_10
--header 'Accept: application/json' \
_10
--header 'Content-Type: application/json'

️ According to the W3C definition of Message Headers in HTTP requests, header names are case-insensitive. X-VTEX-API-AppKey, x-vtex-api-appkey or any other variation in the authentication headers will work the same way.

Contributors
2
Photo of the contributor
Photo of the contributor
+ 2 contributors
Was this helpful?
Yes
No
Suggest edits (Github)
See also
App authentication using auth tokens
Guides
API authentication using user tokens
Guides
Contributors
2
Photo of the contributor
Photo of the contributor
+ 2 contributors
On this page