API Keys
API keys authenticate your theme to the Dukanext API and control which domains are allowed to make requests.
Creating a key
In the shop admin, go to Settings, scroll to Developer Tools, and open the API Keys tab. Click Generate — a modal opens where you provide a label (e.g. "Production Theme") and add your allowed origin. Click Generate to create the key. It is shown once, so copy it immediately.
Keys are prefixed with vst_.
Sending the key
Pass the key in the x-api-key header on every request:
x-api-key: vst_48487803e7db26c6f9817bb57443e50aa26db920f289871c
Keep your key out of version control. Use environment variables:
// Next.js example
const API_KEY = process.env.NEXT_PUBLIC_DUKANEXT_API_KEY;
Allowed origins
The API enforces strict origin validation. Every request is checked against the origin registered on the key. Requests from unlisted origins are rejected with ORIGIN_NOT_ALLOWED (401).
Add the domain your theme is deployed to. A theme runs in one place, so one key needs at least one domain:
yourstore.com
Create a separate key for staging so you can revoke it independently without touching production.
Revoking a key
You can deactivate or reactivate any key from the admin at any time. Active requests using a deactivated key immediately start receiving API_KEY_REVOKED (403).
Possible errors
| Code | HTTP | Cause |
|---|---|---|
API_KEY_REQUIRED | 401 | x-api-key header not sent |
API_KEY_INVALID | 401 | Key does not exist |
API_KEY_REVOKED | 403 | Key was deactivated |
ORIGIN_NOT_ALLOWED | 401 | Request origin not in the key's allowlist |