Application keys (appKey) are credentials used to authenticate requests to VTEX APIs. Store administrators can create multiple application keys that may be used, for example, for different integrations. Read Generating and managing application keys to learn how to create these credentials.

An application key includes specific permissions, based on License Manager roles and resources selected when creating or editing the application key. Read Managing app key permissions for more details.

Each appKey you create has an associated appToken. The appKey-appToken pair can be used in API requests to authorize interactions with VTEX services if they have roles with the required resources.

Application keys are usually the best way to authenticate API calls in your integrations or in self-hosted backend requests in general. However, frontend requests should be authenticated with user tokens.

Do not use application keys in your client-side code. This makes your store vulnerable to attacks. Follow the Best practices for using application keys.

Use the appKey and appToken credential pair to authenticate API requests by sending their values in these HTTP headers:

See an example Get order request:

️ According to the W3C definition of Message Headers in HTTP requests, header names are case-insensitive. X-VTEX-API-AppKey, x-vtex-api-appkey or any other variation in the authentication headers will work the same way.