Authentication
Authenticate API requests by including your API key in the X-Api-Key header.
curl -H "X-Api-Key: mp_xNjQSmdi_q2b7QBo..." \
"https://lite-dev.palmnet.co/v1/orgs/{orgId}/orders"
Creating a Key
- In the admin dashboard, go to Settings → API Keys.
- Click Create API Key and give it a descriptive name.
- Copy the key immediately.
warning
The full key is displayed only once. Store it securely — you cannot retrieve it later.
Key Format
Keys follow the pattern mp_<prefix>_<secret>:
| Segment | Description |
|---|---|
mp_ | Fixed prefix identifying a Palm API key |
<prefix> | 8-character identifier, visible in the dashboard for reference |
<secret> | Random secret (not stored on our side) |
Scopes
Each key is issued with scopes that control which endpoints it can access.
| Scope | Grants access to |
|---|---|
orders:read | List Orders, Get Order |
Calling an endpoint without the required scope returns 403 Forbidden.
Revoking a Key
To revoke a key, click the delete action next to it in Settings → API Keys. Revoked keys are rejected immediately.
Error Responses
| Status | Meaning |
|---|---|
401 | Missing, malformed, or revoked API key |
403 | Valid key but insufficient scope or wrong orgId |
{
"error": "invalid api key",
"request_id": "req-abc123"
}