Create Storefront Token

curl --request POST \ --url https://api.example.com/api/dashboard/storefront-tokens \ --header 'Content-Type: application/json' \ --data ' { "name": "<string>", "scopes": [ "<string>" ], "allowed_origins": [ "<string>" ] } '

{ "id": "3c90c3cc-0d44-4b50-8888-8dd25736052a", "key_id": "<string>", "secret_prefix": "<string>", "name": "<string>", "scopes": [ "<string>" ], "allowed_origins": [ "<string>" ], "created_at": "2023-11-07T05:31:56Z", "last_used_at": "2023-11-07T05:31:56Z", "revoked_at": "2023-11-07T05:31:56Z", "secret": "<string>" }

Headers

authorization

string | null

X-API-Key

string | null

X-Stella-Merchant-Id

string | null

Body

application/json

name

string | null

Human label for this token, e.g. 'Kasa production'.

Maximum string length: 255

scopes

string[] | null

Subset of allowed scopes. If omitted, all four default-on scopes are granted: ['cart:write', 'catalog:read', 'checkout:create', 'customer:auth'].

allowed_origins

string[] | null

Browser origins allowed to use this token (e.g. ['https://kasa.com']). Empty list means any origin (server-side use only is recommended in that case).

Response

Successful Response

Response from POST /storefront-tokens. The secret field (stk_sec_<...>) is shown exactly once and is not recoverable from the server afterwards. Dashboards must surface this clearly.

string<uuid>

required

key_id

string

required

secret_prefix

string

required

name

string | null

required

scopes

string[]

required

allowed_origins

string[]

required

created_at

string<date-time>

required

last_used_at

string<date-time> | null

required

revoked_at

string<date-time> | null

required

secret

string

required

The plaintext storefront secret (stk_sec_<...>). Returned only at creation time; not recoverable later.