API keys are used to authenticate requests to the Stigg REST API. Each environment in your Stigg account has its own set of API keys.
Key types
The REST API requires a full access key (prefixed with server-) for all requests.
Full access keys provide full access to your Stigg environment. Never expose them in client-side code, public repositories, or frontend bundles. Use environment variables to store them securely.
Finding your API keys
- Log in to the Stigg Console
- Go to Integrations > API Keys
Each environment (Production, Staging, Development) has its own full access key.
Using API keys
Include your full access key in the X-API-KEY header with every request:
curl -X GET "https://api.stigg.io/api/v1/customers" \
-H "X-API-KEY: your-server-api-key" \
-H "Content-Type: application/json"
REST SDK
When initializing the REST SDK, provide the full access key:
import Stigg from '@stigg/rest-client';
const stigg = new Stigg({
apiKey: process.env.STIGG_SERVER_API_KEY,
});
Authentication errors
If the API key is missing or invalid, the API returns a 401 Unauthorized response:
{
"error": {
"code": "UNAUTHENTICATED",
"message": "Invalid or missing API key"
}
}
Key rotation
Rotating API keys regularly is a security best practice. Stigg supports key rotation with configurable grace periods to prevent service disruption.
Grace period options
| Method | Grace period |
|---|
| Stigg UI | 0–7 days |
| Stigg API | Up to 1 year |
Use the API for longer grace periods if your organization has longer deployment cycles or manages multiple services.
Revoking keys
Only keys with an expiration date can be revoked. Revoking a key immediately invalidates it. Default keys (without an expiration) must be rotated first — this ensures there is always an active key for your environment.
Access control
API key visibility is controlled by role-based access control (RBAC):
| Action | Owner | Member | Read-only |
|---|
| View API key prefix | ✅ | ✅ | ✅ |
| Copy full API key | ✅ | ❌ | ❌ |
