API Keys & Security

Manage your API keys and understand MRKT Mesh's security practices.

API Keys

Your API key authenticates requests to the MRKT Mesh tracking endpoint and management API. Each store has its own unique key.

Finding Your API Key

  1. Navigate to Settings → API Keys
  2. Your current key is displayed (masked by default)
  3. Click Show to reveal the full key
  4. Use the Copy button to copy it to your clipboard
Never expose your API key in client-side code or public repositories. The tracking script uses a separate, limited public key.

Rotating Keys

To rotate your API key, click Regenerate in Settings → API Keys. The old key is immediately invalidated. Update your integrations promptly after rotation.

Security Practices

  • Encryption at rest: All sensitive data is encrypted using AES-256
  • Encryption in transit: All API communication uses TLS 1.3
  • PII hashing: Email and phone are SHA-256 hashed before delivery to ad platforms
  • Rate limiting: Per-tenant rate limits protect against abuse
  • Webhook verification: Shopify HMAC signatures are verified on every webhook