ShipKit API reference

The open shipping toolkit — multi-carrier labels secured by Lifted Payments 3-D Secure. This page is self-contained; the machine-readable spec lives at /openapi.yaml (OpenAPI 3.1).

Authentication

Every /api/* route — except GET /api/health and the HMAC-verified POST /api/webhook/easypost — requires a ShipKit API key in the ShipKit-Api-Key header:

ShipKit-Api-Key: sk_live_your_secret_key_here

Keys carry a scope: secret sk_… keys (server/admin-only, full access) and browser-safe publishable pk_… keys (the widget's key — confined to the customer flow; secret-only actions return 403). Mint one with ./gradlew shipkitKeygen -Plabel=prod-checkout (add --publishable via KeygenKt for a pk_… key) or the admin-gated POST /api/keys. Only a SHA-256 hash is stored; the full key is shown once. Money fields are strings (e.g. "8.42").