Custom Store Security

Encryption

ShipStation takes security very seriously, which is why we support HTTPS for all Custom Store API requests. HTTPS encrypts the information you send to ShipStation which keeps it from being readable to malicious third parties, even if they are able to capture the network traffic.

You can usually enable HTTPS easily through your API's hosting service. Verify that HTTPS is configured correctly by using a free service such as SSL Server Test.

Warning Using HTTPS is not strictly required by ShipStation, however, using plain HTTP offers none of the security protections mentioned above so it is highly recommended.

Authentication

Using HTTPS to encrypt your network traffic is not the only security related best practice that we recommend. Authentication allows you to verify that it is ShipStation making a request to your API endpoint and not an unknown third party who is attempting to access sensitive company and user information.

If the request does not have the correct username and password or the correct API Key, you can deny their request and preserve the privacy and integrity of your customer's data. ShipStation currently supports the following authentication schemes.

Info

Additional Authentication

If you want to integrate with ShipStation using a Custom Store that requires more data to authenticate, or uses a standard like OAuth2, please contact us.

Basic Authentication

Basic Authentication, as its name implies, is a simple username and password combination that will be sent in the header of the ShipStation HTTP request to your custom store.

Basic Auth username and passwords are configured in the ShipStation dashboard when connecting your custom store.

A Basic Auth workflow will look something like the following.

  1. ShipStation will initiate a request to your Custom Store.
  2. Your Custom Store will first check for an Authorization header.
  3. The Custom Store will then do a base64 decode of the Authorization header's value and check that it matches the expected value that you configured in ShipStation.
  4. If any of the previous steps fail, then respond to the HTTP request with a 401 status code.

API Keys

You can also configure an API Key to implement authentication for your Custom Store. An API Key is simply a token created and managed by you that ShipStation will include in every request that it initiates to your Custom Store.

The API Key is configured in the ShipStation dashboard when connecting your custom store.

An API Key workflow will look something like the following.

  1. ShipStation will initiate a request to your Custom Store.
  2. Your Custom Store will first check for an API-Key header.
  3. The Custom Store will then take the API-Key header's value and check that it matches the expected value that you configured in ShipStation.
  4. If any of the previous steps fail, then respond to the HTTP request with a 401 status code.