Admin API quickstart

Use the Admin API for management of products, prices, inventory, customers, orders, settings, and integrations. Never embed an API key in browser, mobile, or other public client code.

Endpoint and authentication

Send GraphQL requests to:

Code in curl

The Admin API supports two authentication methods. Choose one method per request.

User access token

Send a signed-in Admin user’s access token as a bearer token:

Code in curl

Use a user access token for interactive Admin sessions and operations that require a human user identity. In particular, product exports, translation exports, and translation imports require the user’s ID and email claims.

API key

For a server-to-server integration, send the API key in X-Api-Key:

Code in curl

Do not put an API key in Authorization: Bearer. The gateway validates X-Api-Key and converts it into a short-lived internal identity for downstream services. Keep API keys in server-side secret storage and grant only the permissions the integration needs.

Both methods are scoped by the project in the URL and are subject to permission checks. Missing or invalid credentials are treated as unauthenticated; valid credentials without the required permission are unauthorized.

Run a query

Connections use cursor pagination. Request pageInfo whenever the client may need another page.

Code in graphql

Start with after: null, then pass the returned endCursor while hasNextPage is true. Keep page sizes at or below 100.

Run a mutation

Thor mutations return a payload. A successful HTTP response does not by itself mean the business operation succeeded: request both the changed resource and errors.

Code in graphql

Also handle top-level GraphQL errors, which cover request validation, authentication, authorization, and unexpected execution failures.

Next steps