Kanal APIGetting started
Authentication
How to authenticate requests with a per-store API key.
Every request is authenticated with a Bearer API key sent in the
Authorization header:
Authorization: Bearer kanal_sk_live_xxxGetting an API key
API keys are issued by Kanal. Ask your Kanal contact (or your CSM) to generate a key for your store. You will receive:
- an API key (treat it like a password — it is shown only once), and
- your
store_id, the numeric identifier used in every endpoint path.
Per-store scoping
Keys are scoped to a single store. A request is authorized only when:
- the key is scoped to the exact
store_idin the URL, or - the key is a team-wide key and the store belongs to that team.
Any other combination returns 403. This means
a key leaked for one store can never write data to another.
Keep keys server-side. Never ship them in a browser, mobile app, or any client the customer controls.
Auth failure modes
| Situation | Status |
|---|---|
No Authorization header | 401 |
| Unknown / revoked key | 401 |
| Valid key, not authorized for this store | 403 |
store_id does not exist or store is paused | 404 |
Verifying your setup
The cheapest authorized call is a customer upsert. A 2xx confirms the key,
the store, and the scoping are all correct:
curl -X POST https://api.getkanal.com/api/v1/stores/123/customers \
-H "Authorization: Bearer kanal_sk_live_xxx" \
-H "Content-Type: application/json" \
-d '{ "phone": "+33612345678", "first_name": "Test" }'