IMPORTANT: API Keys grant access to sensitive account and customer data. Keys must be treated as a critical organizational secret and not stored or communicated in ways that could lead to it being leaked accidentally. Never share an API Key with any unauthorized third parties including AI chats.
Overview
The API Key Manager gives you self-service control over the API keys your integrations use to connect to Offset Commerce. From Settings → API Keys you can create new keys, delete keys you no longer need, and see when each key was created and last used.
API keys work like passwords for your integrations — anyone who has a key can act on your account through the API. The tools below help you keep that access tight and easy to manage.
Admin access required: Only team members with admin permissions can view and manage API keys. If you don't see the API Keys page under Settings, ask an admin on your account. Learn more about permission levels in Team Members.
Creating an API Key
Go to Settings → API Keys
Click + Create Key
Enter a descriptive memo so you can recognize the key later (e.g., "Fulfillment integration" or "Marketing site cart")
Copy the key and store it somewhere secure
Important: Treat your key like a password. Paste it directly into the tool that needs it — not into a shared doc, email, or chat thread. Once a key is created, only its last few characters are shown in the key list, so make sure you've used or securely saved it before leaving the page.
The API Keys page shows each key's memo, when it was created and by whom, and when it was last used — making it easy to spot keys that are stale or unaccounted for.
Note: Keys created before this page existed are still active and will appear in the list, but the Created By column will be blank for them — we didn't capture that information at the time. A blank Created By on an older key is expected and doesn't mean anything is wrong with the key.
Rotating an API Key
To rotate (replace) a key, create a new key, update your integration to use it, then delete the old key. Rotate a key when:
A key may have been exposed (shared in an email, pasted somewhere public, included in a screenshot)
A team member or vendor with access to the key leaves
You're doing routine rotation (see best practices below)
To delete a key, click the × at the end of its row and confirm. Deletion is immediate and permanent — any integration still using that key will stop working right away, so always have the new key in place before deleting the old one, especially for anything customer-facing like your cart or fulfillment connection.
Best Practices for Managing API Keys
Paste keys directly into the tool that needs them — don't save copies. When connecting a tool like Klaviyo or RedChirp, paste the key straight into that tool's settings and don't keep a copy in a doc, spreadsheet, email, or note. If you ever need the key again, create a new one. If you do need to store a key (for example, to hand off to a developer), use a team password manager like 1Password — never a shared document, even a password-protected one.
Use a separate key for each integration. If your fulfillment system, marketing site, and reporting tool each have their own key, you can rotate one without breaking the others — and if a key leaks, you'll know exactly where it came from.
Rotate keys on a schedule. Even with no known exposure, rotating keys every 90 days or so limits how long a quietly leaked key stays useful.
Remove keys you're not using. Check the Last Used column on the API Keys page — if an integration is retired or a key shows no recent use you can't account for, delete it. Unused keys are pure risk with no benefit.
A note on AI tools (ChatGPT, Claude, and others)
More teams are using AI assistants to write code, debug integrations, and draft documentation — and API keys are leaking into those tools more often as a result. A few rules to share with anyone on your team who works with your Offset Commerce keys:
Never paste a real API key into an AI chat. If you're asking an AI tool for help with integration code or an error message, replace the key with a placeholder like YOUR_API_KEY first. Conversations may be stored, reviewed, or used in ways you don't control.
Watch for keys hiding in pasted content. Keys often slip in indirectly — inside error logs, request headers, config files, or screenshots shared for debugging. Scan anything you paste or upload before sending it.
If a key touches an AI tool, rotate it. Creating a replacement key takes a minute. Assume exposure and swap the key rather than hoping for the best.
Questions?
If you're unsure whether a key has been exposed, rotate it — there's no downside beyond updating your integration. And if you need help setting up keys, reach out to our support team via chat.