API Keys
REST API reference for managing public keys and secret tokens — create, list, and revoke.
ShipEasyI18n uses two types of credentials. Both are managed via the API or the dashboard under Settings → API Keys.
Public keys (i18n_pk_)
Public keys identify your account in the browser. They appear in the loader script tag and in CDN requests. They are safe to expose in public HTML.
A public key cannot authenticate management API requests — it only routes CDN label file fetches to the correct account.
List public keys
GET /v1/api-keys/public
Authorization: Bearer i18n_at_...{
"data": [
{
"id": "pk_abc123",
"key": "i18n_pk_abc123xyz",
"label": "Production",
"allowedDomains": ["myapp.com", "www.myapp.com"],
"createdAt": "2026-01-01T00:00:00Z",
"revokedAt": null
}
]
}Create a public key
POST /v1/api-keys/public
Authorization: Bearer i18n_at_...
Content-Type: application/json
{
"label": "Production",
"allowedDomains": ["myapp.com", "www.myapp.com"]
}allowedDomains restricts which origins can use this key for CDN requests. Omit to allow all origins (useful for development).
{
"id": "pk_abc123",
"key": "i18n_pk_abc123xyz",
"label": "Production",
"allowedDomains": ["myapp.com"],
"createdAt": "2026-04-11T10:00:00Z",
"revokedAt": null
}Revoke a public key
DELETE /v1/api-keys/public/:id
Authorization: Bearer i18n_at_...Revoking a public key immediately stops the loader from fetching labels on any site using that key. Unpublished sites will show raw fallback strings.
{ "revoked": true, "revokedAt": "2026-04-11T10:05:00Z" }Secret tokens (i18n_at_)
Secret tokens authenticate management API calls — creating keys, running translations, publishing. Never expose in client-side code or public repos.
Tokens are shown exactly once on creation. Only the SHA-256 hash is stored by ShipEasyI18n.
List secret tokens
GET /v1/api-keys/tokens
Authorization: Bearer i18n_at_...Returns token metadata only — the actual token value is never returned after creation.
{
"data": [
{
"id": "tok_abc123",
"label": "CI/CD — GitHub Actions",
"keyPrefix": "i18n_at_abc1",
"scopes": ["read", "write", "publish"],
"lastUsedAt": "2026-04-11T09:45:00Z",
"createdAt": "2026-01-01T00:00:00Z",
"expiresAt": null,
"revokedAt": null
}
]
}Create a secret token
POST /v1/api-keys/tokens
Authorization: Bearer i18n_at_...
Content-Type: application/json
{
"label": "CI/CD — GitHub Actions",
"scopes": ["read", "write", "publish"],
"expiresAt": "2027-01-01T00:00:00Z"
}Scopes:
| Scope | Permissions |
|---|---|
read | List profiles, list keys, get coverage |
write | Create/update/delete keys, create drafts |
publish | Publish profiles, publish drafts |
translate | Run AI translation |
admin | All scopes + manage team members |
expiresAt is optional — omit for a non-expiring token.
{
"id": "tok_def456",
"label": "CI/CD — GitHub Actions",
"token": "i18n_at_abc123...xyz",
"keyPrefix": "i18n_at_abc1",
"scopes": ["read", "write", "publish"],
"expiresAt": "2027-01-01T00:00:00Z",
"createdAt": "2026-04-11T10:00:00Z"
}Copy the token value now — it will not be shown again.
Revoke a secret token
DELETE /v1/api-keys/tokens/:id
Authorization: Bearer i18n_at_...Takes effect immediately. Any CI jobs or CLI sessions using this token will start receiving 401 Unauthorized.
{ "revoked": true, "revokedAt": "2026-04-11T10:05:00Z" }Domain allowlist
Public keys can be restricted to specific domains. The loader script sends an Origin header; the CDN rejects requests from origins not in the allowlist.
This prevents other sites from using your public key to serve their content from your CDN quota.
PATCH /v1/api-keys/public/:id
Authorization: Bearer i18n_at_...
Content-Type: application/json
{
"allowedDomains": ["myapp.com", "staging.myapp.com", "localhost"]
}Pass "allowedDomains": [] to remove all restrictions.