API keys provide long-lived, non-interactive authentication for machine-to-machine communication. Unlike session tokens that expire and require interactive login, API keys are designed for automated integrations that need persistent access to the Vendure Admin API.
Support for API Keys was added in Vendure v3.6.0
API keys are the right choice when:
API keys are not intended for end-user authentication. For customer-facing authentication, use the standard session-based login flow.
API key authentication is opt-in. To enable it, add 'api-key' to the tokenMethod array in your Vendure config:
With this configuration, Vendure checks incoming requests for authentication in the following order:
Authorization: Bearer <token> header (SPAs, mobile apps)vendure-api-key header (machine-to-machine)The first matching method wins. This means if a request includes both a session cookie and an API key header, the cookie takes precedence.
If you do not include 'api-key' in the tokenMethod array, API key headers will be silently ignored even if keys exist in the database.
Navigate to Settings > API Keys and click New API Key. You will need to:
The full API key will be displayed once. Copy it immediately or download the .env file — the secret cannot be retrieved later. If you lose it, you must rotate the key.
You can only assign roles whose permissions you already have. A user with the "Catalog Manager" role cannot create an API key with "SuperAdmin" permissions.
Send the API key in the vendure-api-key header:
Or in a Node.js script:
Understanding the internals helps when customizing or debugging API key authentication.
An API key consists of two parts separated by a colon:
<lookupId>:<secret>
lookupId:secret) is hashed using bcrypt and stored in the database.This two-part design is important: bcrypt produces different hashes for the same input (due to random salts), so you cannot look up a key by hashing the incoming secret and searching for a match. The lookup ID solves this by providing a stable, indexable identifier.
When a request arrives with an API key:
vendure-api-key header value is extractedlookupId and secretApiKey entity is fetched from the database using the lookupIdlookupId:secret) is verified against the stored bcrypt hashEach API key is associated with a dedicated user that holds the key's roles. This user:
deletedAt timestamp)The key also tracks an owner — the administrator who created it. This is useful for auditing.
API keys are channel-aware. When you create an API key in a specific channel context, it is scoped to that channel. The key's permissions only apply within its assigned channels, just like any other user in a multi-channel setup.
A common use case is synchronizing product and inventory data between Vendure and an ERP system:
Create an API key with a role that has ReadCatalog and UpdateCatalog permissions — nothing more.
A cron job that generates daily sales reports:
If a key is compromised or as part of regular security hygiene, you can rotate it:
Rotation preserves the key's roles and permissions but generates a new secret. Any integration using the old key will immediately stop working.
The lastUsedAt field on each API key tracks when it was last used for authentication. Use this to identify unused keys:
Keys that haven't been used in months are candidates for deletion.
You can customize how API keys are generated, parsed, and hashed by providing a custom strategy.
For example, to use a prefix that identifies the key type:
This produces keys like adm_a1b2c3d4e5f6:xyz789....
If vendure-api-key conflicts with your infrastructure:
lastUsedAt updatesBy default, lastUsedAt is updated on every request. For high-traffic API key usage, you can reduce database writes:
If you're testing in a browser-based tool (like the GraphQL playground at /admin-api), the browser sends a session cookie automatically. Since cookies are checked before API keys, the cookie wins and the key is ignored.
Fix: Use a tool that doesn't send cookies, such as curl or a standalone HTTP client. Alternatively, clear your browser cookies for the Vendure domain.
If you get a Forbidden error despite having a valid API key:
'api-key' is included in the tokenMethod configAPI keys must be in the format <lookupId>:<secret>. If the header value doesn't contain the delimiter (: by default), the key won't be parsed and the request will be unauthenticated.
SuperAdmin access.lastUsedAt periodically. Delete keys that are no longer in use.