You can access all of your API keys in the Bolt Merchant Dashboard under Administration > API.
Keys
| Key | Purpose | Where it runs |
|---|
| API key | Authenticate outbound Bolt API calls | Backend server only |
| Signing secret | Verify X-Bolt-Hmac-Sha256 on inbound webhooks | Backend server only |
| Publishable key | Identify your store to Bolt client SDKs and embed script | Browser or mobile app |
The publishable key is a long alphanumeric string in three dot-separated sections. Copy it from Administration > API in the merchant dashboard.
| Header | Value |
|---|
X-Api-Key | Your API key |
X-Nonce | Unique 12 to 16 character value per request (a UUID works) |
Content-Type | application/json |
API base URLs
| Environment | URL |
|---|
| Sandbox | https://api-sandbox.bolt.com |
| Production | https://api.bolt.com |
See Environments for CDN URLs, divisions, and dashboard links.
Key rotation
Rotate API keys and signing secrets on a schedule. Bolt supports rotation with no downtime.
Prerequisites
- Your store uses the new Merchant Dashboard experience.
- Contact your CSM to enable the
merchant_dash_update_signing_secret_keys feature flag.
Rotate signing secret
- Go to Administration > API, scroll to Signing Secret, and click Initiate Key Rotation.
- One key is Active and the new key is Pending. Both work during rotation. Validate the old key with
X-Bolt-Hmac-Sha256 and the pending key with X-Bolt-Hmac-Sha256-Pending.
- After your app accepts the new secret, click Complete Key Rotation to activate the pending key.
You can revert to the previous signing secret for up to 48 hours. The signing secret table shows time remaining. Select Revert Key Rotation to roll back.
Rotate API keys
Bolt allows up to five active API keys. Activate or deactivate keys anytime from Administration > API.