Security & Authentication
ShipEngine takes security very seriously, which is why we require all API requests to be made using HTTPS and TLS 1.1 or higher. We also give you the ability to create and revoke API keys quickly and easily via our API dashboard.
Encryption
ShipEngine uses TLS (Transport Layer Security) to encrypt all request and response data. This keeps your sensitive data secure and encrypted - including payment data and customer PII (Personally Identifiable Information) such as addresses and phone numbers.
TLS significantly reduces the risk of data being intercepted or spied upon by third-parties by ensuring the following:
- All traffic between your server and ShipEngine is encrypted
- Data payloads are checked for integrity to ensure they have not been modified en route
- Ownership of the
api.shipengine.com
domain is verified against ShipEngine's security certificate to ensure you are communicating with the right recipient
ShipEngine requires HTTPS and TLS v1.1 or higher for all API calls. This means that all API calls must be made to https://api.shipengine.com
, not http://
.
Note
Deprecated security protocols
ShipEngine does not support older security protocols such as TLS 1.0 or any version of SSL. These protocols have been deprecated by the IETF due to security vulnerabilities.
API Keys
To authenticate yourself to ShipEngine, you need to include an API-Key
header in each API call. If you don't include a key when making an API request, or if you use an incorrect or expired key, then ShipEngine will respond with a 401 Unauthorized
error.
For example, here's an API request to validate an address. Notice the API-Key
header in the request.
curl -iX POST https://api.shipengine.com/v1/addresses/validate \
-H 'Content-Type: application/json' \
-H 'API-Key: __YOUR_API_KEY_HERE__' \
-d '
[
{
"address_line1": "525 S Winchester Blvd",
"city_locality": "San Jose",
"state_province": "CA",
"postal_code": "95128",
"country_code": "US"
}
]'
Types of API Keys
You can get your API keys from the ShipEngine dashboard. There are two tabs on the API Management page in the dashboard:
-
API Keys - These are your production keys. Anything you do with a production API key could incur costs, so we don't recommend using these keys for development or testing.
-
Sandbox Keys - These keys are for development and testing purposes. Sandbox keys always start with
TEST_
to make it obvious whether a key is production or sandbox. Read more about our sandbox environment for additional details.
Multiple API Keys
You can create any number of either type of key. For example, you may want different keys for different environments, or for different geographical regions, or even separate keys for each server. It's up to you. But regardless of how many keys you have, each type of key has access to all the same data as other keys of that type.
Keep Your Keys Safe
Your API keys give full access to ShipEngine's functionality and therefore should be guarded in the same way you would guard a password or other application credentials.
- Limit who has access to your API keys and to the ShipEngine dashboard
- Store your keys in a safe place, such as a credential store or key vault
- Don't hard-code API keys in your source code or config files
- Ensure that your keys are kept out of any version control system, such as GitHub
If your application runs on users' desktops, mobile devices, or web browsers, then your app's network traffic could be visibile to your users - including your API keys. For this reason, we advise that you only call ShipEngine from your server-side code, which runs safely within your network infrastructure.
Warning
Deactivating Keys
If one of your API keys becomes compromised somehow, then you should deactivate it and replace it with a new one as quickly as possible. You can do both of these from the ShipEngine dashboard.