API Keys
Spectra exposes a full public API for external integrators. API keys authenticate requests and are scoped to specific features and rate-limit tiers.
This page is the admin-side overview. For the developer-side docs, see API Authentication.
Where to find it
Admin: /commerce/api-keys
What you can do
- Generate keys — pick label, scopes, rate tier, live vs. test
- View usage stats per key — requests today/week/month, top endpoints, error rate
- Revoke keys — immediate effect, cannot be undone
- Audit key activity — recent request log for any key
Key format
- Live:
spk_live_xxxxxxxxxxxxxxxx— hits real production data - Test:
spk_test_xxxxxxxxxxxxxxxx— flags orders as test, no real payments/emails
The key is shown only once on creation — if lost, revoke and create a new one.
Scopes
Each key has a set of scopes that gate which endpoints it can call. See the full list in Authentication.
Best practice: give each integration the minimum scopes it needs. A catalog-only integration should have catalog:read and nothing else.
Rate limit tiers
| Tier | Per hour | Per day |
|---|---|---|
| Free | 100 | 1,000 |
| Standard | 1,000 | 50,000 |
| Premium | 10,000 | 1,000,000 |
| Unlimited | — | — |
Rate limits are sliding-window, enforced per-key.
Managing secrets
API keys are sensitive. Store them:
- In environment variables (never commit to git)
- In a secret manager (1Password, AWS Secrets Manager, etc.)
- Never in frontend code — keys are server-to-server only
Webhook integration
API keys are also the owner of webhook subscriptions. If you revoke a key, its webhooks stop firing. See Webhooks.