Keys

KEY	PURPOSE
API Key	Used for calling Bolt API from your backend server
Signing Secret	Used for signature verification on requests received from bolt
Publishable Key	Embedded on your website and used by Bolt to identify your website. The publishable key is a long string of lower and upper case letters and numbers that consists of three sections.

NOTE

The publishable key is a long string of lower and upper case letters and numbers that consists of three sections.

Headers

HEADER	VALUE
X-Api-Key	Provide the API_KEY
X-Nonce	unique 12-16 digit for every request (UUID is a good option)
Content-Type	`application/json`

Bolt API URLs

Environment	URL
Sandbox	`https://api-sandbox.bolt.com`
Production	`https://api.bolt.com`

Key Rotation

It is best security practice to rotate cryptographic and API keys on a scheduled basis. Bolt offers the ability to rotate both API Keys and Signing Secret with no downtime.

Prerequisites

Your store is using the new Merchant Dashboard experience.
Contact your CSM to enable the merchant_dash_update_signing_secret_keys feature flag.

Enablement

Navigate to Administration > API and scroll to Signing Secret then click Initiate Key Rotation.
During this step one key is Active and the new key is Pending. Both keys can be used at this time. Use the X-Bolt-Hmac-Sha256 header to validate requests with the old key and the X-Bolt-Hmac-Sha256-Pending header with the pending key.
Once you have completed signing secret rotation within your application click Complete Key Rotation to deactivate the current key and activate the pending key.

NOTE

It is possible to revert to the old signing secret for up to 48 hours. The amount of time left to revert is displayed in the signing secret table. Select Revert Key Rotation to do this.

Rotate API Keys

Bolt allows you to create up to five active API Keys. You can activate and deactivate these keys at any time.

# bolt-api # merchant-api # verification # webhooks # keys

‹

Postman Collection

Environments

›