API guide

Authentication

Authentication

Use this guide when creating API keys, deciding which key belongs in which environment, or debugging 401 and 403 responses.

Key types

Secret keys are server-only. Use them for template, render, product mapping, embed session, and webhook endpoint management.

Restricted keys are server-only keys with limited scopes.

Publishable keys are browser-safe only when paired with allowed origins. Use them for product mapping resolution and guest embed sessions.

Server requests

curl https://api.stackfill.com/v1/templates \
  -H "Authorization: Bearer stackfill_live_sk_REPLACE_ME"

Browser publishable requests

The widget handles this for normal storefront embeds. Direct browser requests should send the publishable key as a header.

curl https://api.stackfill.com/v1/embed/sessions/guest \
  -H "X-StackFill-Publishable-Key: stackfill_live_pk_REPLACE_ME" \
  -H "Content-Type: application/json" \
  -d '{"external_product_id":"business-card"}'

Common errors

invalid_api_key means the bearer key is missing, malformed, revoked, or not found.

insufficient_scope means a restricted key does not include the required scope.

origin_not_allowed means the publishable key is not valid for the current browser origin.

See Errors and API reference.