Authentication
All API requests are authenticated using API keys passed in the X-API-Key header.
API key format
Section titled “API key format”Keys follow a prefix convention that identifies their mode:
| Prefix | Mode | Purpose |
|---|---|---|
dp_live_ | Live | Real shipments, real payments, real notifications |
dp_test_ | Test | Simulated shipments with no external side-effects |
A full key looks like dp_live_AbCdEfGhIjKlMnOpQrStUvWxYz012345 (approximately 48 characters).
Sending requests
Section titled “Sending requests”Include your API key in the X-API-Key header on every request:
curl -X POST https://api.dutypro.exelot.com/api/shipments/ \ -H "Content-Type: application/json" \ -H "X-API-Key: dp_live_YOUR_KEY_HERE" \ -d '{ ... }'Key scoping
Section titled “Key scoping”API keys can be scoped to a specific brand or left unrestricted (account-level):
Account-level keys
Section titled “Account-level keys”An account-level key can create shipments for any brand in your account. You must include a brand_id in the request body to specify which brand the shipment belongs to.
{ "brand_id": "my-brand", "currency": "USD", "items": [ ... ]}The brand_id field accepts either a brand ID or a brand slug.
Brand-scoped keys
Section titled “Brand-scoped keys”A brand-scoped key is restricted to a single brand. The brand_id field in the request body is optional — if omitted, the key’s brand is used automatically. If provided, it must match the key’s brand.
Managing keys
Section titled “Managing keys”API keys are managed from the dashboard under Settings > API Keys. See the Settings guide for details.
Key operations:
- Generate — Create a new live or test key, optionally scoped to a brand. The plaintext key is shown only once at creation time; store it securely.
- Revoke — Permanently deactivate a key. Any integrations using it will immediately stop working. This cannot be undone.
- Roll — To rotate a key, generate a new one, update your integration, then revoke the old key.
Live vs. test mode
Section titled “Live vs. test mode”The mode is determined entirely by which API key you use — there is no mode parameter in the request body. A single integration codebase can switch between modes by swapping the API key, typically via an environment variable.
See the Test Mode guide for a full comparison of live and test behavior.
Error responses
Section titled “Error responses”| Status | Error | Cause |
|---|---|---|
401 Unauthorized | Missing API key | No X-API-Key header in the request |
401 Unauthorized | Invalid API key | Key not found, or key has been revoked |
400 Bad Request | brand_id is required when using an unrestricted API key | Account-level key used without a brand_id in the request body |
400 Bad Request | brand_id does not match the API key's brand | Brand-scoped key used with a mismatched brand_id |
404 Not Found | Brand not found | The specified brand_id or slug does not exist in your account |
Security best practices
Section titled “Security best practices”- Never expose API keys in client-side code. Keys should only be used in server-to-server requests.
- Use test keys for development. Test keys prevent accidental charges and notifications.
- Rotate keys periodically. Generate a new key, deploy it, then revoke the old one.
- Use brand-scoped keys when an integration only needs access to a single brand. This limits blast radius if a key is compromised.