Authentication
How to authenticate your requests to the OrbisCommerce API.
API Keys
The OrbisCommerce API uses Bearer token authentication. Include your API key in the Authorization header of every request.
Authorization: Bearer YOUR_API_KEY
API keys are prefixed with orb_live_ for production and orb_test_ for sandbox:
orb_live_sk_a1b2c3d4e5f6... # Production
orb_test_sk_x9y8z7w6v5u4... # Sandbox
Sandbox vs Production
The sandbox environment lets you test without generating real shipments or charges.
| Environment | Base URL |
|---|---|
| Production | https://api.orbiscommerce.com/v1 |
| Sandbox | https://sandbox.orbiscommerce.com/v1 |
Sandbox shipments, labels, and tracking events are simulated. Use sandbox keys only in development.
Getting Your API Key
- Log in to your OrbisCommerce dashboard
- Go to Settings → API Keys
- Click Generate New Key
- Copy and store it securely — it will only be shown once
Key Permissions
Each key can be scoped to specific permissions:
| Permission | Description |
|---|---|
shipments:read | Read shipment data |
shipments:write | Create and cancel shipments |
labels:read | Download labels |
labels:write | Generate and void labels |
tracking:read | Access tracking events |
webhooks:write | Manage webhook endpoints |
rates:read | Fetch carrier rates |
Security Best Practices
- Never expose API keys in client-side code or public repositories
- Rotate keys regularly and immediately if compromised
- Use separate keys per environment (sandbox / production)
- Scope keys to the minimum permissions required
Revoking a Key
Keys can be revoked from the dashboard at any time under Settings → API Keys → Revoke. Revoked keys return 401 Unauthorized immediately.