An API Client represents a set of credentials (Client ID and Client Secret) tied to your account/brand that applications and integrations use to authenticate with the Dropship V3 APIs. You can use API Clients to:
  • Generate credentials for server-to-server integrations.
  • Isolate access for different apps/environments (for example, ERP Prod, ERP Staging).
  • Rotate or revoke credentials without impacting other systems.

Prerequisites

  • Admin access to your Dropship account.
  • Decision on naming (use a clear, environment-specific name).
  • A secure place to store secrets (for example, a secret manager such as AWS Secrets Manager, GCP Secret Manager, HashiCorp Vault, or your CI/CD secret store).

Create a New API Client

  1. Navigate to Settings → API Clients in the Dropship console.
  2. Click Add API Client.
  3. Enter a clear Client Name (for example, erp-prod, integration-staging).
  4. Click Create Client.
  5. The client is created and now appears in your API Clients list.
Create separate clients for each environment (Prod, Staging, Dev) and for each distinct integration. This minimizes risk and streamlines credential rotation.

Accessing client credentials (One-time Secret Reveal)

  1. In Settings > API Clients, click the Client Name you just created. The Client Credentials page is displayed.
  2. In Client Credentials, you’ll see:
    • Client Name (as entered)
    • API URL (base URL for requests)
    • Brand ID
    • Client ID
    • Client Secret (hidden by default)
  3. The Client Secret can only be accessed once. When you are prepared to capture it, click Get Client Secret > Show API Secret.
  4. Copy the secret using the provided button and store it in your secret manager immediately.

Using the Credentials for Authentication

Most integrations will exchange theClient ID and Client Secret for an access token, then include that token in API calls. See the detailed flows and examples in the Authentication Guide.

Best Practices

  • Least privilege by isolation: Create distinct clients per environment/app.
  • Rotate regularly: Establish a key rotation cadence (for example, quarterly or on team changes).
  • Never embed secrets in code: Use environment variables or a secret manager.
  • Restrict distribution: Share Client Secrets only with systems (not people) that need them.
  • Monitor & alert: Track usage and set alerts on unusual activity if available.

Rotating or Revoking a Client

  • Rotate: Create a new API Client, deploy the new Client ID/Secret, validate, then delete the old client.
  • Revoke immediately if you suspect compromise. Replace the credentials across all dependent systems.

Troubleshooting

  • I can’t see the Client Secret again: This is expected. Open a Support ticket to reset.
  • Authentication failures (401/403):
    • Verify you’re using the correct API URL for your environment.
    • Confirm the Client ID/Secret are accurate and not expired/rotated.
    • Ensure your token acquisition flow matches the Authentication Guide.
  • Wrong brand or environment: Double-check the Brand ID and the API URL shown on the client’s detail page.

FAQ