Overview

The Connect2Print API uses API keys for authentication. Each request must include a valid API key in the Authorization header.

Key points:

API keys are tied to a specific tenant (customer)
Each key has granular permissions (scopes)
Test and Live modes have separate keys
Keys can expire and be rotated
Rate limits apply per API key

API Key Formats

API keys have different prefixes based on their environment:

Test Mode keys

Used for development and testing. Start with:

c2p_test_1a2b3c4d5e6f7g8h9i0j

Test mode keys only work in the test environment and don't have access to live data.

Live Mode keys

Used for production. Start with:

c2p_live_9z8y7x6w5v4u3t2s1r0q

Live keys have access to real data and should be protected carefully.

Creating API Keys

You can create and manage API keys from the admin panel:

Log in to your Connect2Print admin panel
Navigate to Settings → API Keys
Click "Create New API Key"
Configure key settings:
- Name: A descriptive name for identification
- Mode: Test or Live
- Scopes: Select which permissions the key should have
- Expiration: Optional expiration date
- IP Restrictions: Optional whitelist of IP addresses
Click "Save" and copy your new key

Important: Your API key is shown only once when you create it. Store it securely immediately.

Using API Keys

Include your API key in the Authorization header as a Bearer token:

HTTP Header Format

Authorization: Bearer YOUR_API_KEY

Examples

// cURL
curl -H "Authorization: Bearer c2p_test_..." \
  https://app1.connect2print.com/api/v1/orders

// PHP
$headers = ['Authorization: Bearer c2p_test_...'];

// JavaScript
headers: { 'Authorization': 'Bearer c2p_test_...' }

Permissions (Scopes)

Scopes define what an API key is allowed to do. Each scope grants access to specific endpoints.

Scopes are split into read and write permissions:

:read scopes allow viewing data (GET endpoints)
:write scopes allow creating/updating/deleting data (POST/PATCH/DELETE endpoints)

Available Scopes

Orders: orders:read, orders:write

Customers: customers:read, customers:write

Products: products:read

Addresses: addresses:read, addresses:write

Cart: cart:read, cart:write

Files: files:read, files:write

Shipments: shipments:read, shipments:write

Production: production:read, production:write

Invoices: invoices:read, invoices:write

Quotes: quotes:read, quotes:write

Webhooks: webhooks:read, webhooks:write

Stock: stock:read, stock:write

Principle of Least Privilege: Only grant the permissions necessary for your integration.

Test vs Live Mode

The API supports two separate environments:

Test Mode

Safe environment for development and testing:

Uses test API keys (c2p_test_*)
Separate test data, no impact on live data
No real payments or shipments
Perfect for development and integration

Live Mode

Production environment with real data:

Uses live API keys (c2p_live_*)
Real orders and payments
Actual shipments and production
Use only after thorough testing

Security Best Practices

Follow these best practices to keep your API keys secure:

🔐 Store keys securely

Never commit API keys to source code or version control. Use environment variables or secure secret management systems.

🔒 Use HTTPS

Always send API requests over HTTPS to protect your keys in transit.

🔄 Rotate keys regularly

Update your API keys periodically, especially if you suspect compromise.

🎯 Use minimal permissions

Only assign the scopes needed for your integration. Avoid granting unnecessary access.

⏰ Set expiration dates

Consider setting expiration dates on API keys to enforce rotation.

🌐 Use IP restrictions

In production, whitelist specific IP addresses that can use the key.

📊 Monitor usage

Regularly check API logs for unusual activity.

🚫 Revoke compromised keys

If a key is compromised, revoke it immediately from the admin panel.

Troubleshooting

Common authentication errors and solutions:

401 Unauthorized - Invalid API key

Your API key is invalid or missing. Check that:

The key is correctly copied without extra spaces
The key hasn't expired
The key hasn't been revoked
You're using Bearer format in the Authorization header

403 Forbidden - Insufficient permissions

Your API key lacks the required permissions (scopes). Solution:

Check which scopes your endpoint requires
Update your API key in the admin panel to add missing scopes
Or create a new key with the correct permissions

429 Too Many Requests

You've exceeded the rate limit. See our Rate Limiting Guide for details.

Mixing test and live keys

Ensure you're using the right type of key for your environment. Test keys don't work in live mode and vice versa.

Next Steps

Now that you understand authentication, explore related topics:

Rate Limiting

Learn about request limits and how to optimize your API usage

Rate Limiting →

Error Handling

Understand API error codes and how to handle them

Error Handling →

Webhooks

Receive real-time notifications instead of polling the API

Webhooks →

API Reference

Browse all available endpoints and their permissions

API Reference →

API Authentication