Authentication
There are two authentication layers in the Dukanext API. They serve different purposes and are used together.
1. API Key (required on all requests)
The API key authenticates your theme (the application) to the API. It identifies which shop you are accessing and which origins are allowed.
x-api-key: vst_your_key_here
Every single request must include this header. See API Keys for setup.
2. Customer JWT (required on protected routes)
Some endpoints require the customer to be logged in. These are routes that access customer-specific data: their orders, notifications, profile, and reviews.
After a customer completes the login flow you receive a JWT. Pass it as a Bearer token:
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
Which endpoints require what
| Endpoints | API Key | Customer JWT |
|---|---|---|
| Products, Categories, Search | Required | Not required |
| Settings, Config, Content | Required | Not required |
| Newsletter, Contact Form | Required | Not required |
| Analytics | Required | Not required |
POST /orders (place order) | Required | Not required |
GET /orders, GET /orders/:id | Required | Required |
GET /auth, PATCH /auth | Required | Required |
GET /notifications, DELETE /notifications/:id | Required | Required |
POST /reviews, GET /reviews/my | Required | Required |
Token lifecycle
- Store the JWT in
localStorageor a secure cookie - Include it on every request to a protected endpoint
- When a request returns
SESSION_EXPIREDorAUTH_TOKEN_INVALID, the token has expired or been invalidated — clear it and redirect the customer to login
Customer login flow
The login flow is a 3-step email OTP process. See Customer Auth Flow for the complete implementation guide.