Malomo authenticates your API requests using your account's API keys. If you do not include your key when making an API request, or use one that is incorrect or outdated, Malomo returns an error.

There are two types of API keys: publishable and secret.

  • Publishable API keys are meant solely to identify your account with Malomo, they aren't secret. In other words, they can safely be published in places like your Malomo.js JavaScript code or in an Android or iPhone app. Publishable keys only have the ability to retrieve shipment information.

  • Secret API keys should be kept confidential and only stored on your own servers. Your account's secret API key can perform any API request to Malomo without restriction. Be sure to keep this key secure! Do not share your secret API keys in publicly accessible areas such as GitHub, client-side code, an so-forth.

Authentication to the API is performed by providing your API key as a bearer token in the Authorization HTTP header.

curl \
  -H "Authorization: Bearer sk_452e3bab2f8c1f7cf03de018855fdf7e"
  -H "Accept: application/vnd.malomo+json; version=2"

All API requests must be made over HTTPS. Calls made over plain HTTP will fail. API requests without authentication will also fail.

Last updated