Site Logo

🎉 ShipEngine is becoming ShipStation API 🎉

Over the next few months you'll notice the ShipEngine website, documentation portal, and dashboard being rebranded as ShipStation API. For our ShipEngine customers, you don't need to take any action or change any of your integrations in any way. All endpoints will remain the same and continue to function as they always have.

To learn more about what's coming, review our New ShipStation API page.

Security & Authentication

ShipStation API takes security very seriously, which is why we require all API requests to be made using HTTPS and TLS 1.1 or higher. We also give you the ability to create and revoke API keys quickly and easily via our API dashboard.

Encryption

ShipStation API uses TLS (Transport Layer Security) to encrypt all request and response data. This keeps your sensitive data secure and encrypted - including payment data and customer PII (Personally Identifiable Information) such as addresses and phone numbers.

TLS significantly reduces the risk of data being intercepted or spied upon by third-parties by ensuring the following:

  • All traffic between your server and ShipStation API is encrypted.
  • Data payloads are checked for integrity to ensure they have not been modified en route.
  • Ownership of the api.shipengine.com and api.eu.shipengine.com domains are verified against ShipStation API's security certificate to ensure you are communicating with the right recipient.

ShipStation API requires HTTPS and TLS v1.1 or higher for all API calls. This means that all API calls must be made to https://api.shipengine.com or https://api.eu.shipengine.com, not http://.

API Keys

To authenticate yourself to ShipStation API you need to include an API-Key header in each API call. If you don't include a key when making an API request, or if you use an incorrect or expired key, ShipStation API will respond with a 401 Unauthorized error.

For example, here's an API request to validate an address. Notice the API-Key header in the request.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
POST /v1/addresses/validate HTTP/1.1
Host: api.shipengine.com
API-Key: __YOUR_API_KEY_HERE__
Content-Type: application/json
[
  {
    "address_line1": "525 S Winchester Blvd",
    "city_locality": "San Jose",
    "state_province": "CA",
    "postal_code": "95128",
    "country_code": "US"
  }
]

Types of API Keys

You can get your API keys from your account dashboard. There are two different types of API keys:

  • Production API Keys: Switch to the Production environment of your ShipStation API dashboard to view your production API keys. Anything you do with a production API key could incur costs, so we don't recommend using these keys for development or testing.
  • Sandbox API Keys: Switch to the Sandbox environment of your ShipStation API dashboard to view your sandbox API keys. These are for development and testing purposes. Sandbox keys always start with TEST_ to make it obvious whether a key is production or sandbox. Read more about our sandbox environment for additional details.

Multiple API Keys

You can create any number of either type of key. For example, you may want different keys for different environments, or for different geographical regions, or even separate keys for each server. It's up to you. Regardless of how many keys you have, each type of key has access to all the same data as other keys of that type.

Keep Your Keys Safe

Your API keys give full access to ShipStation API's functionality and therefore should be guarded in the same way you would guard a password or other application credentials.

  • Limit who has access to your API keys and to the account dashboard.
  • Store your keys in a safe place, such as a credential store or key vault.
  • Don't hard-code API keys in your source code or config files.
  • Ensure that your keys are kept out of any version control system, such as GitHub.

If your application runs on users' desktops, mobile devices, or web browsers, then your app's network traffic could be visibile to your users - including your API keys. For this reason, we advise that you only call ShipStation API from your server-side code, which runs safely within your network infrastructure.

Client-Side Apps & CORS

Many customers develop client-side applications for interacting with the ShipStation API. For example, you may have a web app or mobile app that your customers use to create shipping labels through ShipStation API. If this is the case, make sure all requests to ShipStation API are sent from your server and not directly from the client application.

The main reason for this is that you would need to expose your API key to the client. To protect your ShipStation API account from unauthorized access you should never expose your API key to any client application.

The other reason is that web browsers and mobile apps will not allow a web page to access a resource on an other domain.

For example, if your app runs at https://my-app.com and you try to make a request to the ShipStation API at https://api.shipengine.com, the browser will generate an error because your domain, my-app.com, is different from the domain to which you are sending the API request, api.shipengine.com. This prevents other web pages you visit from gaining access to the resource - a protection for both your client and the ShipStation API.

One solution is to host your own API on the same domain as your application. Your client application interacts directly with your API and your backend server makes requests to ShipStation API. In this manner your API is a layer between your client application and ShipStation API.

Some APIs may implement CORS (Cross Origin Resource Sharing) to allow web browsers and mobile applications to call the API directly. However, this is not the best practice for keeping private APIs like ShipStation API secure.