Developer docs
Authentication
Use secret keys server-side and publishable keys in browser widgets.
Authentication
Entrega uses bearer tokens. Send the key in the
Authorization
header.
http
Authorization: Bearer sk_live_...Key types
| Key | Prefix | Where to use it |
|---|---|---|
| Secret key |
sk_live_
| Server-to-server Core API requests. |
| Publishable key |
pk_live_
| Browser-side Widget API requests from allowed origins. |
Server-side example
bash
curl https://entrega.ao/v1/couriers \
-H "Authorization: Bearer $ENTREGA_SECRET_KEY"Browser widget example
js
await fetch("https://entrega.ao/v1/widget/quotes", {
method: "POST",
headers: {
"Authorization": `Bearer ${publishableKey}`,
"Content-Type": "application/json"
},
body: JSON.stringify({origin, destination, parcel})
})Origin allow-list
Publishable keys are checked against your configured origins. Configure origins in the dashboard, for example:
-
https://loja.ao -
https://checkout.loja.ao -
http://localhost:3000 -
https://*.loja.ao
Error responses
Missing, invalid, or wrong-surface keys return a problem response with
401
or
403
.
json
{
"type": "https://api.entrega.ao/errors/unauthorized",
"title": "Unauthorized",
"status": 401,
"detail": "Missing or invalid API key"
}