Skip to main content
- Authentication

API authentication

API keys are per shop. Store them like passwords, send them as Bearer tokens, and rotate by creating a new key before revoking the old one.

Last updated - June 5, 2026 Read time - 4 min Author -

Send the Bearer token

Every API request should include the API token in the Authorization header.

Authorization: Bearer adk_live_<keyId>_<secret>

Tokens are shown once when created. Store the full token in your secret manager; it cannot be recovered later.

Create, rotate, and revoke keys

  • Create API keys from the Alva API keys settings page after your shop is approved.
  • Rotate credentials by creating a new key, updating your integration, then revoking the old key.
  • A missing, malformed, unknown, or revoked key returns the same unauthorized response.
  • Never send shop ids in request bodies to select a shop. The API scopes access from the token.

API docs

Start here

API quickstart

Ping the API, import an asset, map it to a product, and assign access to an order.

 Reference

Endpoint reference

Review the available endpoints for assets, mappings, orders, access changes, and status.

Was this helpful?

Still stuck? Email admin@alvaapps.com.

Last updated 2026-06-05