# Authentication and access
URL: https://support.starshipit.com/articles/14700000001002-authentication-and-access
Canonical: https://support.starshipit.com/articles/14700000001002-authentication-and-access
Markdown: https://support.starshipit.com/articles/14700000001002-authentication-and-access.md
Updated: 2026-06-18

> For the complete documentation index, see [llms.txt](https://support.starshipit.com/llms.txt).

> Understand Starshipit API credentials, request headers, domains, and rate limits.

Starshipit has separate API domains for shipping workflows and WMS warehouse workflows. The API key from **Settings > API** is used for both the Starshipit API and the Starshipit WMS API, but the required headers differ by API.

## Before you begin

- Access to **Settings > API** in Starshipit for the API key and subscription key.
- Access to the Starshipit WMS account you are integrating with, if you are calling WMS endpoints.
- A safe place to store secrets in your app or integration platform.
- The Starshipit account you want your integration to access.

For account setup requirements, start with [Developer Center overview](/articles/developer-center/getting-started/developer-center-overview).

## Choose the API domain

| API | Base URL | Use it for |
| --- | --- | --- |
| Starshipit API | `https://api.starshipit.com` | Orders, labels, rates, manifests, tracking, and webhooks. |
| Starshipit WMS API | `https://wms.starshipit.com` | WMS jobs, products, inventory, locations, purchase orders, picking, packing, putaway, replenishment, stocktake, and stock movements. |

Do not send WMS requests to `https://api.starshipit.com`. Do not send core Starshipit shipping API requests to `https://wms.starshipit.com`.

## Understand Starshipit API keys

| Credential | What it controls | Header |
| --- | --- | --- |
| API key | The API key controls which Starshipit account your request can access. Use a different API key when you test against a different account. The same key is used for Starshipit API requests and WMS API requests for that account. | `StarShipIT-Api-Key` for the Starshipit API, `starshipit-api-key` for the WMS API |
| Subscription key | The subscription key controls your API access tier and rate limit for Starshipit API access, including requests made against Starshipit WMS. | `Ocp-Apim-Subscription-Key` for the Starshipit API |

Keep both keys secret. Do not put them in browser code, public repositories, screenshots, or shared logs.

## Get Starshipit API credentials

1. Log in to Starshipit.
2. Go to **Settings > API**.
3. Copy the **API key**.
4. Copy the **Subscription key**.
5. Store both values in your integration's secret store.

You can also read [How to find your Starshipit API key](/articles/integrations/the-starshipit-api/how-to-find-your-starshipit-api-key) if you need the legacy API-key guide.

## Add Starshipit API headers

Each request to `https://api.starshipit.com` must include these headers:

| Header | Description |
| --- | --- |
| `Content-Type` | Use `application/json` for JSON requests. |
| `StarShipIT-Api-Key` | Your account API key from **Settings > API**. |
| `Ocp-Apim-Subscription-Key` | Your subscription key from **Settings > API**. |

## Add WMS API headers

Each request to `https://wms.starshipit.com` must include the WMS authentication header:

| Header | Description |
| --- | --- |
| `starshipit-api-key` | Your Starshipit API key from **Settings > API** for the account using WMS. |

WMS endpoint request and response details are documented in the [WMS API reference](/developers/api-reference/wms).

## Check your request setup

- Use the correct base URL for the API family.
- Include the required authentication headers for that API family.
- Use a different API key for each Starshipit account you test against.
- Match the request body to the endpoint you are calling.
- Log the endpoint, response status, and response body when testing.

## Rate limits

Your Starshipit API access tier controls the rate limit applied to Starshipit API and Starshipit WMS API requests. Developer API access allows two requests per second. Production API access requires approval and uses a higher rate limit.

If you exceed your limit, Starshipit returns `429 Too Many Requests`. Build retry handling with backoff instead of immediately repeating the same request.

Batch requests where the endpoint supports it. For example, use `POST /api/orders/import` to create multiple ready-to-ship orders in one request instead of sending one request per order.

## Verify access

Send a small read-only request first, such as a list or get request, before you create or update production data. Confirm the response returns the expected Starshipit account data.