API keys

An API key (lstk_…) is the credential used by desktop or command-line AI assistants (Claude Desktop, Claude Code, Codex, or a custom agent) and by direct REST API integrations to connect to Logistified. Each key is tied to your single store.

Web-chat apps (claude.ai and ChatGPT) don’t use these keys — they connect a different way. See Connect claude.ai or ChatGPT.

On this page

• Creating a key
• The one-time reveal
• Scopes
• Who created a key
• Revoking a key

Creating a key

1. Open P&H Cloud Platform (Beta) → LLM / Agent Access.
2. In the Create key card, optionally type a Label (for example, Claude Desktop or Laptop CLI) so you can recognise the key later.
3. Pick a Scope — Read only (recommended) or Read & write. See Scopes below.
4. Click Create key.

The new key appears immediately in a green banner at the top of the page.

The one-time reveal

Copy it now — it's shown only once

The full key (lstk_…) is displayed once, right after you create it. Logistified never stores the plaintext key and can’t show it to you again. Click the key to copy it, then paste it into your assistant’s configuration. If you lose it, revoke the key and create a new one.

After you’ve copied it, the banner goes away and the key appears in the Active keys table — but only by its short prefix, never in full.

Scopes

Scope	What it allows
Read only	The assistant can read your data but change nothing. The right default for most connections.
Read & write	The assistant can additionally operate your purchase orders, transfer orders, stock takes, supplier returns, and reorder rules — see Operating purchase orders and Operating transfers, stock takes & returns.

Note

Pick Read & write only when you actually want the assistant to make changes. Every write follows the same lifecycle rules as the app and is fully logged — but Read only is still the safest place to start. A key keeps the scope it was created with; to change it, revoke the key and create a new one.

Who created a key

The Active keys table records who created each key (name and email, taken from the Shopify login of the person who clicked Create key), the scope, your label, and the creation date. This gives you an audit trail when several people in your store can issue keys.

Revoking a key

To turn off a key, click the trash icon on its row in the Active keys table. Revocation takes effect on the assistant’s next request — a revoked key can no longer read any data, and the row is shown struck through and marked revoked.

Revoke a key whenever:

• A laptop or device that held the key is lost.
• Someone who set up an assistant leaves the team.
• You’re rotating credentials as routine hygiene.

Caution

An API key is a bearer credentialBearer credentialA credential where holding the URL or QR code is enough to authenticate. Cloud Platform session links work this way; the TTL is your time-bound security control. Read more → — anyone who has it can read your data until it’s revoked. Treat it like a password: don’t email it, paste it into shared documents, or commit it to a repository.

See also

• Connect a desktop / CLI client — where the key goes for AI assistants.
• REST API authentication — how to use the same key for direct HTTP calls.
• Managing access & security — the full security model.

Last updated: 11 June 2026