Authentication
API key authentication and rate limits
Authentication
All requests to the Umbrella API require authentication. There are two methods depending on the endpoint.
Shopify header authentication
Public-facing endpoints (widget data, claims, policy lookups) authenticate using Shopify shop domain headers:
X-Shopify-Shop-Domain: your-store.myshopify.com
X-Shopify-Customer-Id: 1234567890When you install the Umbrella Shopify app, your shop domain is automatically registered. No manual setup is needed for storefront endpoints.
Internal API key authentication
Server-side endpoints (eligibility assessment, product sync) authenticate with an API key in the request body:
{
"internalApiKey": "your-internal-api-key",
"orgId": "your-org-id"
}To generate or rotate an internal API key:
- Go to Dashboard > Settings > Integrations
- Locate the API Keys section
- Click Generate New Key or Rotate Key
Rotating a key immediately invalidates the previous one. Update all integrations before rotating.
Test vs live environments
| Environment | Shop Domain | Behavior |
|---|---|---|
| Testing | *.test, demo.myshopify.com, test.myshopify.com | Returns mock data, no real transactions |
| Live | Your actual *.myshopify.com domain | Real data, real transactions |
Test-mode requests return "testingMode": true in responses and use sample warranty data.
Error handling
Common error status codes across all endpoints:
| Status | Meaning |
|---|---|
400 | Missing or invalid parameters |
401 | No authentication credentials provided |
403 | Unauthorized origin or invalid API key |
404 | Resource not found |
408 | Request timeout (25-second limit) |
429 | Rate limit exceeded — wait and retry |
500 | Internal server error |
When you receive a 429 response, wait for the retry period before sending more requests. Implement exponential backoff for high-volume scenarios.
Related
- Endpoints Overview — Full list of available endpoints
- Warranty API — Warranty plan management endpoints
- Webhooks Reference — Event-driven integrations