API keys API
Create, list, and revoke ShopSniffer API keys. Keys are stored as SHA-256 hashes and shown only once at creation.
Overview
API keys let you authenticate scripts, CI pipelines, and AI agents without a browser session. Create one via the dashboard or this API, then pass it in the X-API-Key header on every request.
Auth for all endpoints below: Better Auth session (browser cookie). You cannot create or list API keys using an API key — that's by design, so a leaked key can't mint more keys.
Base URL: https://shopsniffer.com/api
POST /api-keys Stable
Create a new API key. The raw key is returned only once.
Friendly name for the key (e.g. "production-agent", "github-actions"). Helps identify keys in the list view.
bashcurl -X POST https://shopsniffer.com/api/api-keys \ -H "Cookie: better-auth.session_token=…" \ -H "Content-Type: application/json" \ -d '{"name": "Production agent"}'
json{ "id": "key_abc123", "key": "ss_live_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6", "name": "Production agent", "message": "Store this key securely. It will not be shown again." }
key is only returned in this one response. ShopSniffer stores a SHA-256 hash, not the key itself, so we cannot show it to you again. Write it to a secret manager before closing the response.
GET /api-keys Stable
List your API keys. Keys are masked — only the prefix is shown.
json{ "keys": [ { "id": "key_abc123", "name": "Production agent", "prefix": "ss_live_a1b2…", "created_at": "2026-03-10T08:00:00Z", "revoked": false }, { "id": "key_def456", "name": "Testing", "prefix": "ss_live_x9y8…", "created_at": "2026-02-05T14:20:00Z", "revoked": true } ] }
DELETE /api-keys/:id Stable
Revoke an API key. Revocation takes effect on the next request — in-flight requests using the key continue to completion.
API key ID (the key_… prefix from the list endpoint, not the raw ss_live_… value).
json{ "success": true }
json{ "error": "API key not found" }