API Settings

Every store and network in Storefront has a unique public key that authenticates requests from your customer-facing app (mobile or web). The key is passed as a bearer token in the standard HTTP Authorization header.

Navigate to Storefront → Settings → API to view your store's key.

Your Store Key

The store key is auto-generated when the store is created. It follows the format store_<hash> (e.g., store_a1b2c3d4e5f6...).

This key is public — it is safe to include in your mobile app or web frontend. It identifies which store the request is for; it does not grant admin access.

GET /storefront/v1/products
Authorization: Bearer store_a1b2c3d4e5f6

Network Key

If you operate a network, the network key follows the same pattern: network_<hash>. Use the network key to fetch stores, categories, and other network-level resources.

GET /storefront/v1/stores
Authorization: Bearer network_a1b2c3d4e5f6

Authenticated Customer Requests

For requests that require an authenticated customer (cart, checkout, profile, addresses, orders), include the customer's session token in the Customer-Token header in addition to the storefront bearer token:

const response = await fetch('https://your-fleetbase-instance.com/storefront/v1/checkouts/before', {
  method: 'POST',
  headers: {
    'Authorization': 'Bearer store_a1b2c3d4e5f6',
    'Customer-Token': '1|VlKK7lZ...',
    'Content-Type': 'application/json'
  },
  body: JSON.stringify({ /* ... */ })
});

The Customer-Token is the Sanctum personal access token returned by the customer login endpoints — see Customer Authentication.

Key Rotation

The API settings page displays the key as read-only — there is no in-console regenerate button. If a key is compromised:

1. Open the database (or use the Fleetbase admin console) to update the key column on the affected Store or Network record
2. Redeploy your customer-facing app with the new key

For self-hosted instances, plan for this at deploy time — clients with a stale key will fail authentication immediately after rotation.