Admin API quickstart
Use the Admin API for management of products, prices, inventory, customers, orders, settings, and integrations. Never embed an API key in browser, mobile, or other public client code.
Endpoint and authentication
Send GraphQL requests to:
The Admin API supports two authentication methods. Choose one method per request.
User access token
Send a signed-in Admin user’s access token as a bearer token:
Use a user access token for interactive Admin sessions and operations that require a human user identity. In particular, product exports, translation exports, and translation imports require the user’s ID and email claims.
API key
For a server-to-server integration, send the API key in X-Api-Key:
Do not put an API key in Authorization: Bearer. The gateway validates X-Api-Key and converts it into a short-lived internal identity for downstream services. Keep API keys in server-side secret storage and grant only the permissions the integration needs.
Both methods are scoped by the project in the URL and are subject to permission checks. Missing or invalid credentials are treated as unauthenticated; valid credentials without the required permission are unauthorized.
Run a query
Connections use cursor pagination. Request pageInfo whenever the client may need another page.
Start with after: null, then pass the returned endCursor while hasNextPage is true. Keep page sizes at or below 100.
Run a mutation
Thor mutations return a payload. A successful HTTP response does not by itself mean the business operation succeeded: request both the changed resource and errors.
Also handle top-level GraphQL errors, which cover request validation, authentication, authorization, and unexpected execution failures.