Key types
| Key | Where to use | How |
|---|---|---|
| API key | Your backend server | X-API-Key header on outbound REST calls |
| Signing secret | Your backend server | Verify X-Bolt-Hmac-Sha256 on inbound webhooks and Merchant Callback requests |
| Publishable key | Storefront / client SDKs | Initialize Bolt Connect, checkout modal, or embeddable components |
Outbound API calls
Server-side requests require your API key in theX-API-Key header and Content-Type: application/json for JSON bodies.
Some endpoints also accept X-Nonce: a unique value per request (a UUID works well). Check the endpoint reference if your call fails validation.
cURL
Merchant Callback (inbound)
When Bolt calls your server, verify theX-Bolt-Hmac-Sha256 header using your signing secret. See Verify webhooks.