Authenticate every outbound request to Bolt with your division’s credentials from the Merchant Dashboard.

Key types

KeyWhere to useHow
API keyYour backend serverX-API-Key header on outbound REST calls
Signing secretYour backend serverVerify X-Bolt-Hmac-Sha256 on inbound webhooks and Merchant Callback requests
Publishable keyStorefront / client SDKsInitialize Bolt Connect, checkout modal, or embeddable components
Each division has its own keys. Sandbox and production credentials are separate: see Environments.

Outbound API calls

Server-side requests require your API key in the X-API-Key header and Content-Type: application/json for JSON bodies. Some endpoints also accept X-Nonce: a unique value per request (a UUID works well). Check the endpoint reference if your call fails validation.
cURL
curl -X POST 'https://api-sandbox.bolt.com/v1/merchant/orders' \
  -H 'Content-Type: application/json' \
  -H 'X-API-Key: YOUR_API_KEY' \
  -d '{"cart": {...}}'
Use your publishable key only in client-side SDK initialization: never in server-side API calls.

Merchant Callback (inbound)

When Bolt calls your server, verify the X-Bolt-Hmac-Sha256 header using your signing secret. See Verify webhooks.

OAuth (shopper accounts)

Third-party apps use the OAuth 2.0 authorization code flow to access Bolt Account data. See Bolt OAuth.

Key rotation

Bolt supports rotating API keys and signing secrets without downtime. See API keys for dashboard steps.