Authentication

All Wemarka API requests require authentication via an API key passed in the Authorization header.

API Key Format

API keys follow the format:

wk_{environment}_{random}

• Test keys: wk_test_... — Use for development. No real data is affected.
• Live keys: wk_live_... — Use in production. Operates on real data.

Making Authenticated Requests

Pass your key as a Bearer token:

curl -H "Authorization: Bearer wk_live_abc123..." \
  https://api.wemarka.com/api/v1/tenants

Scopes

Each API key has one or more scopes that determine what it can access:

| Scope | Permissions | |-------|-------------| | catalog:read | List stores, products, categories. Search products. Resolve carts. | | orders:write | Place orders on behalf of customers. |

If a request requires a scope your key doesn't have, the API returns 403 Forbidden.

Key Management

Manage your API keys in the Developer Portal:

• Create keys with specific scopes.
• Revoke keys that are no longer needed.
• Monitor last-used timestamps to identify unused keys.

Security

• Store keys in environment variables, never in source code.
• Use server-side calls only — never expose keys in client-side JavaScript.
• Rotate keys periodically and revoke compromised keys immediately.