Skip to main content
The Partner API uses HTTP Basic authentication over HTTPS. Every request must include an Authorization header. 
Authorization: Basic base64(API_KEY:API_SECRET)
curl, requests, axios, and most HTTP libraries handle the base64 encoding for you.

Where credentials come from

Your klikit integration contact issues two values during onboarding:
  • partner_api_key — the public half. Safe to log in your own systems.
  • partner_api_secret — the secret half. Treat it like a password. Never commit it to git; rotate it via support if you suspect it leaked.
A credential is bound to exactly one business on klikit. You can ask for multiple credentials if you serve multiple businesses.

Scopes

Each credential is granted a subset of scopes. The endpoint that you’re calling must be covered by one of them, or the API returns 403.
ScopeGrants
brands:readGET /brands, GET /branches
menus:readGET /menus (both modes)
menus:oosPATCH /items/{id}/availability (single + bulk)
orders:readGET /orders, GET /orders/{id}
visibility:writeBranch / brand visibility toggles
webhooks:readRead your registered webhook URLs (operator-driven today)
If you call an endpoint your credential isn’t scoped for you’ll get: 
{
  "error": {
    "code": "FORBIDDEN_SCOPE",
    "message": "credential is not scoped for menus:oos"
  }
}
Talk to your operator to widen the scope set.

Worked example

curl -sS \
  -u "$PARTNER_API_KEY:$PARTNER_API_SECRET" \
  "https://api.dev.shadowchef.co/v1/partner/brands"

import os, requests
r = requests.get(
    "https://api.dev.shadowchef.co/v1/partner/brands",
    auth=(os.environ["PARTNER_API_KEY"], os.environ["PARTNER_API_SECRET"]),
)
r.raise_for_status()
print(r.json())

import fetch from "node-fetch";
const auth = Buffer.from(
  `${process.env.PARTNER_API_KEY}:${process.env.PARTNER_API_SECRET}`
).toString("base64");
const res = await fetch("https://api.dev.shadowchef.co/v1/partner/brands", {
  headers: { Authorization: `Basic ${auth}` },
});
console.log(await res.json());

Rotating a secret

The operator can re-issue your secret at any time. The old secret keeps working for 15 minutes after rotation so you can roll the new value through your config without dropping requests; after that window it returns 401. Schedule rotations during a low-traffic period and update both halves of your deployment before the window expires.

What stops here

This endpoint family does not support OAuth2, JWT, or client certificates. If your security policy requires one of those, raise it with [email protected] — we don’t have a public timeline yet.