You can access all of your API keys in the Bolt Merchant Dashboard under Administration > API.

Keys

KeyPurposeWhere it runs
API keyAuthenticate outbound Bolt API callsBackend server only
Signing secretVerify X-Bolt-Hmac-Sha256 on inbound webhooksBackend server only
Publishable keyIdentify your store to Bolt client SDKs and embed scriptBrowser or mobile app
The publishable key is a long alphanumeric string in three dot-separated sections. Copy it from Administration > API in the merchant dashboard.Publishable key location in the merchant dashboard API settings

Request headers

HeaderValue
X-Api-KeyYour API key
X-NonceUnique 12 to 16 character value per request (a UUID works)
Content-Typeapplication/json

API base URLs

EnvironmentURL
Sandboxhttps://api-sandbox.bolt.com
Productionhttps://api.bolt.com
See Environments for CDN URLs, divisions, and dashboard links.

Key rotation

Rotate API keys and signing secrets on a schedule. Bolt supports rotation with no downtime.

Prerequisites

  • Your store uses the new Merchant Dashboard experience.
  • Contact your CSM to enable the merchant_dash_update_signing_secret_keys feature flag.

Rotate signing secret

  1. Go to Administration > API, scroll to Signing Secret, and click Initiate Key Rotation.
  2. One key is Active and the new key is Pending. Both work during rotation. Validate the old key with X-Bolt-Hmac-Sha256 and the pending key with X-Bolt-Hmac-Sha256-Pending.
  3. After your app accepts the new secret, click Complete Key Rotation to activate the pending key.
You can revert to the previous signing secret for up to 48 hours. The signing secret table shows time remaining. Select Revert Key Rotation to roll back.

Rotate API keys

Bolt allows up to five active API keys. Activate or deactivate keys anytime from Administration > API.