Get your API keys

Sellvik issues two key classes. You will almost always create one of each.

A third class — the customer JWT — is issued by Sellvik in response to a successful POST /v1/store/auth/login and identifies a signed-in shopper. You don't mint it; your storefront receives it.

Mint an admin key

1. Open the panel: https://<shop-subdomain>.sellvik.com/.
2. Go to Settings → API keys.
3. Click New admin key.
4. Pick the scopes you need. The full set is documented in Authentication → Scopes. For this guide, enable products:read and categories:read.
5. Copy the key. It is shown only once. If you lose it, mint a new one and revoke the old.

The key looks like sk_live_a1b2c3_AbCdEf.... The first ~14 characters are a non-secret prefix used for triage; everything after is the secret.

Mint a publishable key

1. Same panel: Settings → API keys.
2. Click New publishable key.
3. Add the origins your storefront will load from to the Allowed Origins list — e.g. https://shop.example.com. This is the CORS allowlist; only exact matches work, no wildcards. See CORS.
4. Toggle Headless mode on for the shop. Without it, publishable keys return 403 headless_mode_disabled.

Publishable keys carry no scope. Their capability ceiling is the set of /v1/store/* endpoints, which expose nothing a public visitor couldn't see or do anyway. Read PUBLISHABLE_CAPABILITIES for the surface.

Store them safely

• Admin keys: put them in a secret manager. Never commit, never log, never expose in browser JS.
• Publishable keys: safe to ship to the browser. They identify your shop; they do not authorise anything a visitor couldn't do.
• Customer JWTs: the storefront's responsibility — typically localStorage or an httpOnly cookie set by your edge.

Continue with Fire your first request →.