Skip to main content

Overview

API tokens let you interact with your store programmatically. Use them to build custom integrations, automate workflows, or connect third-party tools to your Pandabase store. You can create up to 25 tokens per store.

Authentication modes

Each token can use one of two authentication modes:

Bearer

Send the token in the Authorization header: 
Authorization: Bearer sk_live_...
Simple and straightforward. Best for server-side integrations where the token is stored securely.

HMAC

Sign each request with your token’s secret using HMAC-SHA256. The request includes:
  • X-Pandabase-Token — your token ID
  • X-Pandabase-Timestamp — current Unix timestamp
  • X-Pandabase-Signature — HMAC-SHA256 signature of the request
Best for environments where you want to verify request integrity and prevent replay attacks.

Permissions

Tokens have granular permissions that control what they can access. Only grant the permissions your integration needs.
PermissionReadWrite
StoreView store detailsUpdate store settings
ProductsList and view productsCreate, update, delete products
CategoriesList and view categoriesCreate, update, delete categories
CouponsList and view couponsCreate, update, delete coupons
OrdersList and view orders, paymentsRetry fulfillment
CustomersList and view customers
WebhooksList and view webhooksCreate, update, delete webhooks
AnalyticsView analytics data
PayoutsList and view payouts
LicensesList, view, and verify licenses
RefundsList and view refundsIssue refunds

Secret rotation

You can rotate a token’s secret at any time. The old secret is immediately invalidated. Make sure to update your integration before rotating.

Request logging

All Store API requests are logged automatically with a 30-day retention. Each log entry includes the HTTP method, path, status code, response time, and IP address. View logs in the dashboard or via the API Logs endpoints.
Treat API tokens like passwords. Never expose them in client-side code, public repositories, or logs. If a token is compromised, rotate or delete it immediately.