Skip to main content
Learn how we protect your information by not being accessed by attackers or how we protect you from others creating a custom storefront with your store information.

How it works

Every SDK call requires a storefront API key — a shopi_pk_ prefixed key generated from the Shopi seller dashboard. The key identifies which shop’s data to serve and enforces rate limits per shop.

Key rules

Each key is tied to one shop. A theme developer does not own or distribute keys — the shop owner generates their own key from the seller dashboard and provides it when configuring the theme.
Storefront keys are designed to be used in browser environments. They can only read public shop data and write orders/reviews. They cannot access admin operations, other shops, or any internal Supabase resources.
The SDK validates the key format at construction time. Any key not starting with shopi_pk_ throws immediately before any network call is made.

Constructor options

OptionTypeRequiredDefaultDescription
apiKeystringMust start with shopi_pk_
timeoutMsnumber10000Request timeout in milliseconds
baseUrlstringhttps://apicall.shopi.lk/v1Do not override in production

Best practices

Never hardcode a real API key in a theme template, public repo, or client-side config file that gets committed to version control.

Generating a key

Shop owners generate API keys from their Shopi seller dashboard: Seller Dashboard → Settings → API Keys → Generate New Key Keys can be scoped to specific permissions and revoked at any time without affecting other keys.