Authentication
How to authenticate requests to the Driple proxy.
API Key Authentication
Every request to Driple requires an API key sent via the X-Driple-Api-Key header.
curl -H "X-Driple-Api-Key: drpl_your_key_here" \
-H "X-Shopify-Access-Token: shpat_xxxxx" \
"https://api.driple.dev/shopify/my-store/admin/api/2024-01/shop.json"Required Headers
| Header | Required | Description |
|---|---|---|
X-Driple-Api-Key | Yes | Your Driple API key |
X-Shopify-Access-Token | Yes | Your Shopify access token (passed through to Shopify) |
How it works
- Driple validates your API key against its key store
- Checks that the target store is authorized for your key
- Strips the
X-Driple-Api-Keyheader before forwarding to Shopify - Your
X-Shopify-Access-Tokenis passed through untouched
Store restrictions
API keys can be restricted to specific stores. If your key is configured for store-a only, requests to store-b will return 403 Forbidden.
Wildcard keys (*) allow access to any store — useful for agencies managing multiple clients.
Error responses
Missing API key
{
"error": "unauthorized",
"message": "Missing X-Driple-Api-Key header",
"docs": "https://driple.dev/docs/auth"
}Status: 401 Unauthorized
Invalid API key
{
"error": "forbidden",
"message": "Invalid API key"
}Status: 403 Forbidden
Store not authorized
{
"error": "forbidden",
"message": "API key not authorized for store: my-store"
}Status: 403 Forbidden
Security
- API keys are stored in Cloudflare KV with encryption at rest
- Keys are never forwarded to Shopify or logged in full
- Logs only contain the first 8 characters of your key for debugging
- All traffic is encrypted via TLS (HTTPS only)