Authentication

Every API request requires a valid API key. Keys are tied to a specific tenant and have scopes that determine which endpoints they can call.

Key format

Live keys start with spk_live_ — hit real production data
Test keys start with spk_test_ — hit production infra but flag orders as test, skip real payments and emails

Example: spk_live_a1b2c3d4e5f6...

Use either header — the API accepts both:

Authorization header (recommended):

Authorization: Bearer spk_live_xxxxxxxxxxxxxxxx

X-API-Key header:

X-API-Key: spk_live_xxxxxxxxxxxxxxxx

If you lose a key, revoke it and create a new one.

Each scope grants access to a specific area of the API. A key only works on endpoints matching its scopes.

Scope	Access
`catalog:read`	Browse categories, products, variants
`inventory:read`	Read device inventory
`inventory:write`	Update device fields, log history events
`orders:read`	List/view orders
`orders:write`	Create, update status, set tracking, cancel
`customers:read`	List/view customer accounts
`customers:write`	Create and update customers
`buyback:read`	Pricing lookups, view quotes
`buyback:write`	Create quotes, update status
`batches:read`	List intake batches
`batches:write`	Create, update, complete batches
`repairs:read`	View repair tickets, queue, history
`repairs:write`	Update repair status
`returns:read`	List/view returns
`returns:write`	Create and update returns
`reports:read`	Analytics endpoints
`webhooks:manage`	Register/delete webhook subscriptions

Tip: Give each integration the minimum scopes it needs. If your integration only reads products, it should have catalog:read — nothing else.

Revoked keys stop working immediately. There is no undo.

Status	Meaning
`401`	Missing or invalid key
`403`	Key is valid but lacks the required scope
`429`	Rate limit exceeded (see Rate Limits)