Security & Authentication

ShipEngine takes security very seriously, which is why we require all API requests to be made using HTTPS and TLS 1.1 or higher. We also give you the ability to create and revoke API keys quickly and easily via our API dashboard.


ShipEngine uses TLS (Transport Layer Security) to encrypt all request and response data. This keeps your sensitive data secure and encrypted - including payment data and customer PII (Personally Identifiable Information) such as addresses and phone numbers.

TLS significantly reduces the risk of data being intercepted or spied upon by third-parties by ensuring the following:

  • All traffic between your server and ShipEngine is encrypted
  • Data payloads are checked for integrity to ensure they have not been modified en route
  • Ownership of the domain is verified against ShipEngine's security certificate to ensure you are communicating with the right recipient

ShipEngine requires HTTPS and TLS v1.1 or higher for all API calls. This means that all API calls must be made to, not http://.


Deprecated security protocols

ShipEngine does not support older security protocols such as TLS 1.0 or any version of SSL. These protocols have been deprecated by the IETF due to security vulnerabilities.

API Keys

To authenticate yourself to ShipEngine, you need to include an API-Key header in each API call. If you don't include a key when making an API request, or if you use an incorrect or expired key, then ShipEngine will respond with a 401 Unauthorized error.

For example, here's an API request to validate an address. Notice the API-Key header in the request.

POST /v1/addresses/validate HTTP/1.1
Content-Type: application/json

    "address_line1": "525 S Winchester Blvd",
    "city_locality": "San Jose",
    "state_province": "CA",
    "postal_code": "95128",
    "country_code": "US"

Types of API Keys

You can get your API keys from the ShipEngine dashboard. There are two different types of API keys:

  • Production API Keys - On the "API Management" page of your ShipEngine dashboard, you'll see your production API keys. Anything you do with a production API key could incur costs, so we don't recommend using these keys for development or testing.

  • Sandbox API Keys - On the "Sandbox" page of your ShipEngine dashboard, you'll see your sandbox API keys. These are for development and testing purposes. Sandbox keys always start with TEST_ to make it obvious whether a key is production or sandbox. Read more about our sandbox environment for additional details.

Multiple API Keys

You can create any number of either type of key. For example, you may want different keys for different environments, or for different geographical regions, or even separate keys for each server. It's up to you. But regardless of how many keys you have, each type of key has access to all the same data as other keys of that type.

Keep Your Keys Safe

Your API keys give full access to ShipEngine's functionality and therefore should be guarded in the same way you would guard a password or other application credentials.

  • Limit who has access to your API keys and to the ShipEngine dashboard
  • Store your keys in a safe place, such as a credential store or key vault
  • Don't hard-code API keys in your source code or config files
  • Ensure that your keys are kept out of any version control system, such as GitHub

If your application runs on users' desktops, mobile devices, or web browsers, then your app's network traffic could be visibile to your users - including your API keys. For this reason, we advise that you only call ShipEngine from your server-side code, which runs safely within your network infrastructure.


Deactivating Keys

If one of your API keys becomes compromised somehow, then you should deactivate it and replace it with a new one as quickly as possible. You can do both of these from the ShipEngine dashboard.