Security & Authentication

ShipEngine takes security very seriously, which is why we require all API requests to be made using HTTPS and TLS 1.1 or higher. We also give you the ability to create and revoke API keys quickly and easily via our API dashboard.

Encryption

ShipEngine uses TLS (Transport Layer Security) to encrypt all request and response data. This keeps your sensitive data secure and encrypted - including payment data and customer PII (Personally Identifiable Information) such as addresses and phone numbers.

TLS significantly reduces the risk of data being intercepted or spied upon by third-parties by ensuring the following:

  • All traffic between your server and ShipEngine is encrypted
  • Data payloads are checked for integrity to ensure they have not been modified en route
  • Ownership of the api.shipengine.com domain is verified against ShipEngine's security certificate to ensure you are communicating with the right recipient

ShipEngine requires HTTPS and TLS v1.1 or higher for all API calls. This means that all API calls must be made to https://api.shipengine.com, not http://.

API Keys

To authenticate yourself to ShipEngine, you need to include an API-Key header in each API call. If you don't include a key when making an API request, or if you use an incorrect or expired key, then ShipEngine will respond with a 401 Unauthorized error.

For example, here's an API request to validate an address. Notice the API-Key header in the request.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
POST /v1/addresses/validate HTTP/1.1
Host: api.shipengine.com
API-Key: __YOUR_API_KEY_HERE__
Content-Type: application/json
[
{
"address_line1": "525 S Winchester Blvd",
"city_locality": "San Jose",
"state_province": "CA",
"postal_code": "95128",
"country_code": "US"
}
]

Types of API Keys

You can get your API keys from the ShipEngine dashboard. There are two different types of API keys:

  • Production API Keys - On the "API Management" page of your ShipEngine dashboard, you'll see your production API keys. Anything you do with a production API key could incur costs, so we don't recommend using these keys for development or testing.

  • Sandbox API Keys - On the "Sandbox" page of your ShipEngine dashboard, you'll see your sandbox API keys. These are for development and testing purposes. Sandbox keys always start with TEST_ to make it obvious whether a key is production or sandbox. Read more about our sandbox environment for additional details.

Multiple API Keys

You can create any number of either type of key. For example, you may want different keys for different environments, or for different geographical regions, or even separate keys for each server. It's up to you. But regardless of how many keys you have, each type of key has access to all the same data as other keys of that type.

Keep Your Keys Safe

Your API keys give full access to ShipEngine's functionality and therefore should be guarded in the same way you would guard a password or other application credentials.

  • Limit who has access to your API keys and to the ShipEngine dashboard
  • Store your keys in a safe place, such as a credential store or key vault
  • Don't hard-code API keys in your source code or config files
  • Ensure that your keys are kept out of any version control system, such as GitHub

If your application runs on users' desktops, mobile devices, or web browsers, then your app's network traffic could be visibile to your users - including your API keys. For this reason, we advise that you only call ShipEngine from your server-side code, which runs safely within your network infrastructure.

Client-Side Apps & CORS


Many customers develop client-side applications for interacting with the ShipEngine API. For example, you may have a web app or mobile app that your customers use to create shipping labels through ShipEngine. If this is the case, make sure all requests to ShipEngine are sent from your server and not directly from the client application.

The main reason is that you would need to expose your API key to the client. To protect your ShipEngine account from unauthorized access, you should never expose your API key to any client application.

The other reason is that web browsers and mobile apps will not allow a web page to access a resource on an other domain.

For example, if your app runs at https://my-app.com and you try to make a request to the ShipEngine API at https://api.shipengine.com, the browser will generate an error because your domain, my-app.com, is different from the domain to which you are sending the API request, api.shipengine.com. This prevents other web pages you visit from gaining access to the resource - a protection for both your client and the ShipEngine API.

One solution is to host your own API on the same domain as your application. Your client application interacts directly with your API, and your backend server makes requests to ShipEngine. In this manner, your API is a layer between your client application and ShipEngine.

Some APIs may implement CORS (Cross Origin Resource Sharing) to allow web browsers and mobile applications to call the API directly. However, this is not the best practice for keeping private APIs like ShipEngine secure.