Authentication
All ShipperOne API requests require a Bearer token. The token issued by support is sent directly on every request — there is no separate token exchange step.
Obtaining a token
Section titled “Obtaining a token”There is no public token-issuance endpoint. To obtain a token (or have one revoked), contact your ShipperOne account manager. Tokens are scoped per customer and per environment (live / dev / staging).
Using the token
Section titled “Using the token”Send the token in the Authorization header on every request:
GET /rest/{store_code}/V1/warehouses HTTP/1.1Host: your-shipper-instance.comAuthorization: Bearer <your-token>Accept: application/jsonA working curl example:
curl https://your-shipper-instance.com/rest/{store_code}/V1/warehouses \ -H "Authorization: Bearer $SHIPPER_TOKEN" \ -H "Accept: application/json"Token lifetime and rotation
Section titled “Token lifetime and rotation”Tokens do not expire automatically. Treat them as long-lived secrets:
- Store them in a secrets manager (Vault, AWS Secrets Manager, etc.) — never commit them to source control or log them.
- Rotate them periodically, and immediately if you suspect compromise — contact support to issue a new token and revoke the old one.
- Each integration (ERP, fulfillment partner, marketplace bridge) should use its own dedicated token so you can revoke individual integrations without disrupting others.
Errors
Section titled “Errors”Requests without a valid token return 401 Unauthorized. Requests with a valid token but insufficient scope return 403 Forbidden — contact support if you need additional scope on an existing token.