Secret API keys

Issue a server-side secret key (the sk_ path) to authorize production calls — minting realtime grants, the Orders API, uploads, and more. The keyless publishable path (your Shop ID) is on Get started.

Applies to @snowcone-app/sdk@0.17.0

What a secret key is

Some calls run on your server and bill to your organization — minting a realtime render grant, creating an order, requesting an upload URL. Those are authorized by a secret API key — Stripe-shaped, written sk_… in these docs — that you keep server-side and never expose to the browser. It is not the publishable shop.id (safe to expose, like Stripe’s pk_) and it is not the scsec_… shop secret used for signing image URLs— the full credential map is on Authentication.

Each key is shop-scoped and belongs to an organization (the billing entity). Usage made with the key attributes to that shop. A key carries one or more scopes that gate exactly which endpoints it may call — see Scopes.

Naming convention vs literal prefix. These docs write secret keys as sk_… by Stripe-style convention. The dashboard shows you the full key once at creation; treat whatever it gives you as the secret and store it as SNOWCONE_API_KEY. Match on the value the dashboard returns, not a hard-coded sk_ prefix.

Create a key

Agents: you already have one. Minting a sandbox shop returns a shop-scoped api_key (scopes ai:generate, ai:bg-remove, uploads:write, mockups) that works immediately — AI generation and uploads with no human in the loop. It is revoked automatically when the shop is claimed. Mint/claim details live on Get a Shop ID.

Beyond that auto-issued sandbox key, keys are issued from the dashboard by a signed-in owner or admin of the organization. The flow:

Claim a shop

Dashboard-issued keys (your own name, scopes, expiry) require a real, claimed shop. If you started from a sandbox shop (Get started), have your human claim it — claiming also revokes the sandbox api_key, so this is where the human re-issues the agent a least-privilege key.

Open the API keys page

Go to snowcone.app/studio/api-keys. The same page shows your publishable shop.id and a one-click Create shop if you don’t have one yet.

Name it and pick scopes

Give the key a name (unique within the shop) and select only the scopes it needs — e.g. mockups:realtime for a live preview, orders:add for your own checkout. Optionally set an expiry.

Copy it once

The full key is shown only once at creation — copy it immediately into your server’s secrets (e.g. SNOWCONE_API_KEY). If you lose it, revoke it and create a new one. Revoked or expired keys stop working immediately.

Status: custom key issuance (your own name, scopes, expiry) is a dashboard action today (authenticated owner/admin) — there is no programmatic “create a secret key with custom scopes” endpoint. An agent is not blocked, though: the sandbox mint’s auto-issued api_key covers AI generation, background removal, uploads, and mockups until the shop is claimed — see Get a Shop ID.

Use a key

The SDK helpers take the key as an option and keep it server-side. For realtime, the key mints a short-lived grant the browser uses — the key itself never ships to the client:

code

// YOUR backend. The secret key never reaches the browser — it mints a
// short-lived grant the client uses (see /realtime).
import { mintRealtimeGrant } from '@snowcone-app/sdk';

export async function POST(req: Request) {
  const { shop } = await req.json();
  const grant = await mintRealtimeGrant({
    apiKey: process.env.SNOWCONE_API_KEY!, // the secret key, with mockups:realtime
    shop,                                  // a shop your key's org owns
  });
  return Response.json(grant); // { token, expiresAt }
}

Other server-side endpoints accept the key directly as an x-api-key (or Authorization: Bearer) header:

code

# Other server-side APIs take the key directly as a header.
curl https://api.snowcone.app/orders -X POST \
  -H "x-api-key: $SNOWCONE_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{ "json": { "reference": "order-1", "items": [], "shipTo": {} } }'

Scopes

A key may call only the endpoints its scopes allow; a call outside its scopes is rejected (403 — API key does not have required scope). Grant the least set you need.

Available scopes

mockups:realtimescope

Mint realtime render grants (realtime server-side render). mockups is also accepted for realtime.

mockupsscope

Mockup generation. Also satisfies the realtime grant.

catalog:readscope

Read the product catalog server-side.

orders:addscope

Create orders via the Orders API.

orders:readscope

Read order status.

orders:shipscope

Mark orders shipped.

uploads:writescope

Upload artwork with POST /uploads/base64, scoped to the key’s shop (assets land at your-shop-id.storage.snowcone.app — already renderable). Self-serve: a sandbox shop’s key carries this scope.

ai:generate · ai:bg-remove · ai:videoscope

The AI generation, background-removal, and video endpoints.

dmca:readscope

Read DMCA takedown data.

Where it leads

Realtime rendering→Your own checkout→Get started→