Authentication

The REST API uses the same API keys as AI / Agent access. Mint a key, then send it as a bearer token.

The REST API requires the Elevate plan

Anyone can mint API keys on any plan — they work for AI / Agent access (MCP) regardless of plan. The REST API specifically is an Elevate-plan feature: a request from a shop that isn’t on Elevate returns 403 PLAN_REQUIRED, even with a valid key. The plan is checked on every request against your current subscription, so a downgrade takes effect immediately.

Get a key

Create a read-scope API key in the Agent Access tile of the app. The full walkthrough (and how to revoke) lives in the Agent-access docs:

API keys (mint, scope, revoke) →

Caution

Use a read key. v1 of the REST API is read-only, and a read key has no write methods to reach — so it is the safest credential to hand to an integration.

Send the token

Put the key in the Authorization header:

curl -s -H "Authorization: Bearer lstk_xxxxxxxx" \
  "https://prod.logistified.app/api/v1/purchase-orders"

• A missing or invalid token returns 401 immediately — before any data is touched.
• A revoked key returns 401. Revoke in the Agent-Access tile at any time.
• The key identifies your shop on its own; there is no shop id in the URL.

Tip

Keep keys server-side. Because auth is a bearer token (not a cookie), there’s no CSRF risk — but a leaked key grants read access until you revoke it. Rotate by minting a new key and revoking the old one.

Managing access

Each request is recorded in the audit log (tagged rest:), so you can see which key made which call. Manage and revoke keys from the Agent-Access tile.

Managing access & security →