Skip to main content
Shiipp authenticates all requests to the Prealert API using an API key that is unique to your courier account. You pass this key with every request, and Shiipp uses it to identify your courier, validate your access, and associate submitted prealerts with the correct account.

Finding Your API Key

Your API key is generated automatically when your courier account is created. Retrieve it at any time from the dashboard.
1

Log in to the Shiipp dashboard

Sign in with your courier account credentials at your Shiipp instance URL.
2

Navigate to Courier Settings

Open the navigation menu and select Courier Settings.
3

Copy your key

Your API key is displayed in the API Configuration section. Click the copy icon to copy it to your clipboard.

Using Your API Key

Pass your API key with every request to the Prealert API. The recommended method is the X-API-KEY request header. A query parameter fallback is available but not recommended outside of testing.

Code Examples

curl -X POST https://your-shiipp-domain.com/api/Prealert.php \
  -H "X-API-KEY: your_api_key_here" \
  -H "Content-Type: application/json" \
  -d '{"UserCode":"CUST001","TrackingNumber":"1Z9999999999999999"}'

Rotating Your API Key

If you suspect your key has been compromised, or as part of routine key hygiene, you can regenerate it from the dashboard.
Regenerating your API key immediately invalidates the current key. Any integration still using the old key will receive 403 Forbidden responses. Update all your systems before rotating in a production environment.
1

Open Courier Settings

Navigate to Courier Settings in the Shiipp dashboard.
2

Regenerate the key

Click Regenerate API Key in the API Configuration section. Shiipp generates a new key and invalidates the old one immediately.
3

Update your integrations

Replace the old key value in every system that calls the Prealert API — environment variables, secret managers, CI/CD pipelines, and any other configuration files.

Security Best Practices

Treat your API key like a password. Follow these practices to minimize the risk of unauthorized access.
Never hardcode your API key directly in your source code. Instead, read it at runtime from an environment variable (process.env.SHIIPP_API_KEY, getenv('SHIIPP_API_KEY')) or a dedicated secrets manager such as AWS Secrets Manager, HashiCorp Vault, or your hosting provider’s secret store.
Add .env files and any files that might contain secrets to your .gitignore. Scan your repository history for accidentally committed secrets before they are pushed to a remote. Tools like git-secrets or truffleHog can help automate this check.
Establish a rotation schedule — for example, every 90 days — and rotate immediately if you suspect exposure. Because rotation is instant in Shiipp, the main overhead is updating your downstream systems, so keeping your integration points consolidated makes rotation faster.
If multiple services in your infrastructure call the Prealert API, consider isolating the key in a single internal service that proxies requests. This limits the blast radius if the key is ever exposed — you only have one place to update.