JWT Bearer Token
For all dashboard and management API calls. Obtain a token by calling
POST /api/login.php, then pass it in the Authorization header.API Key (X-API-KEY)
Exclusively for the public
POST /api/Prealert.php endpoint used by courier partners. Retrieve your key from Courier Settings in the dashboard.JWT Bearer Token
Every request to a management or dashboard endpoint must carry a valid Bearer token. Tokens expire after 8 hours, so your integration should re-authenticate when it receives a401 response.
Obtain a token
CallPOST /api/login.php with your credentials. The action field must be set to "login":
Use the token
Attach thedata.access_token value to every subsequent request:
Code examples
Two-Factor Authentication (2FA)
If your account has 2FA enabled, the standard login call does not return anaccess_token immediately. Instead, it returns an intermediate state that requires you to verify your TOTP code before receiving a usable token.
Step 1 — Initiate login
Send the samePOST /api/login.php request with your username and password. When 2FA is required, the response looks like this:
Step 2 — Verify your TOTP code
Send a secondPOST /api/login.php with the verify_2fa action, including the preauth_token from Step 1 and the six-digit code from your authenticator app:
- TOTP code
- Backup code
The
preauth_token is short-lived (valid for 5 minutes) and single-use. If verification fails, the token is invalidated and you must restart the login flow from Step 1.API Keys (Courier Partners)
Courier partner API keys grant access to a single endpoint:POST /api/Prealert.php. They do not grant access to any other part of the Shiipp API.
Obtain your API key
- Log in to the Shiipp dashboard.
- Go to Settings → Courier Settings.
- Copy the value displayed under API Key.
Pass the key in requests
- HTTP header (recommended)
- Query parameter (not recommended)
Regenerate a key
Navigate to Settings → Courier Settings and click Regenerate API Key. Confirm the action in the dialog. Update all integrations with the new key before the page is closed, as the previous key stops working immediately.Authentication Error Reference
The table below covers the HTTP status codes returned when authentication fails.| Status Code | Meaning |
|---|---|
401 | Missing or invalid token / API key. Re-authenticate to obtain fresh credentials. |
403 | Credentials are valid but the account is disabled or lacks permission for the requested resource. Contact your Shiipp administrator. |
405 | Wrong HTTP method used on the endpoint (for example, GET instead of POST). Check the method in your request. |