Authentication

To securely authenticate your API calls, you must include your secret API key in the Authorization header of every request. The same API key works for both the Chowdeck API and Relay.

Obtaining Your API Key

Your secret API key is a unique identifier that grants you access to the Chowdeck API. Keep it confidential and do not share it publicly. You can find your API key in your Chowdeck Dashboard under the "API Settings" or "Developers" section.

Merchant Reference

Your merchantReference is a unique identifier for your store on Chowdeck. It is required in the URL of most API endpoints. You can find it in your Chowdeck Dashboard alongside your API key.

How to Use Your API Key

Include your secret API key in the Authorization header of your HTTP requests using the Bearer scheme.

Header Format:
Authorization: Bearer YOUR_SECRET_API_KEY

Replace YOUR_SECRET_API_KEY with your actual secret key obtained from your dashboard.

Example Request

Here's an example of how you might include your API key in a cURL request:

curl -X GET \
  https://api.chowdeck.com/merchant/YOUR_MERCHANT_REFERENCE/orders \
  -H 'Authorization: Bearer YOUR_SECRET_API_KEY'

Signature Verification

To ensure webhook authenticity, all webhook requests include a signature header x-chowdeck-signature. You must verify this signature using your webhook secret

Security Best Practices

• Keep your API key secret: Never expose your secret API key in client-side code, public repositories, or unsecured channels.
• Use environment variables: Store your API key as an environment variable rather than hardcoding it directly into your application.
• Rotate keys regularly: Periodically generate new API keys and revoke old ones to minimize the risk of compromise.