Custom Store Security
Encryption
ShipStation takes security very seriously, which is why we support HTTPS for all Custom Store API requests. HTTPS encrypts the information you send to ShipStation which keeps it from being readable to malicious third parties, even if they are able to capture the network traffic.
You can usually enable HTTPS easily through your API's hosting service. Verify that HTTPS is configured correctly by using a free service such as SSL Server Test.
Warning Using HTTPS is not strictly required by ShipStation, however, using plain HTTP offers none of the security protections mentioned above so it is highly recommended.
Authentication
Using HTTPS to encrypt your network traffic is not the only security related best practice that we recommend. Authentication allows you to verify that it is ShipStation making a request to your API endpoint and not an unknown third party who is attempting to access sensitive company and user information.
If the request does not have the correct username and password or the correct API Key, you can deny their request and preserve the privacy and integrity of your customer's data. ShipStation currently supports the following authentication schemes.
Info
Additional Authentication
If you want to integrate with ShipStation using a Custom Store that requires more data to authenticate, or uses a standard like OAuth2, please contact us.
Basic Authentication
Basic Authentication, as its name implies, is a simple username and password combination that will be sent in the header of the ShipStation HTTP request to your custom store.
Basic Auth username and passwords are configured in the ShipStation dashboard when connecting your custom store.
A Basic Auth workflow will look something like the following.
- ShipStation will initiate a request to your Custom Store.
- Your Custom Store will first check for an
Authorization
header. - The Custom Store will then do a base64 decode of the
Authorization
header's value and check that it matches the expected value that you configured in ShipStation. - If any of the previous steps fail, then respond to the HTTP request with a 401 status code.
API Keys
You can also configure an API Key to implement authentication for your Custom Store. An API Key is simply a token created and managed by you that ShipStation will include in every request that it initiates to your Custom Store.
The API Key is configured in the ShipStation dashboard when connecting your custom store.
An API Key workflow will look something like the following.
- ShipStation will initiate a request to your Custom Store.
- Your Custom Store will first check for an
API-Key
header. - The Custom Store will then take the
API-Key
header's value and check that it matches the expected value that you configured in ShipStation. - If any of the previous steps fail, then respond to the HTTP request with a 401 status code.