Boxy API
  1. Getting Started
Boxy API
  • Getting Started
    • Introduction
    • Environments
    • Security & Authentication
    • Rate Limit
    • Postman Collections
    • Schemas
    • Webhooks
  • Guides
    • Order Flow (Statuses)
    • Provinces & Regions
  • API Reference
    • Merchant
      • Get Merchant Info
    • Orders
      • Create Order
      • Create Bulk Orders (Sync)
      • Create Bulk Orders (Async)
      • List Orders
      • Show Order By UID
      • Show Order By Custom ID
      • Get Label Single
      • Get Label Bulk
      • Cancel Order
      • Update Order
      • Delete Order
    • Pick-ups
      • Request Pick-up
      • Request Pick-up Bulk
      • List Pick-ups
      • Show Pick-up
      • Get Pick-up Labels
      • Cancel Pick-up
      • Cancel Bulk Pick-ups
    • Pick-up Locations
      • Create Pick-up Location
      • List Pick-up Locations
      • Show Pick-up Location
      • Show Cash Drop-off Location
      • Update Pick-up Location
      • Delete Pick-up Location
    • Regions
      • List Regions
  1. Getting Started

Security & Authentication

The Boxy API requires an API Key & API Secret provided by Boxy to access most endpoints.
You can create and retrive your API Credentials from our dashboard following the steps below:
1.
Login to our Dashboard
2.
Navigate to Settings
3.
Create a Persoanl Token
Boxy expects the API Key & API Secret to be included in all API requests to the server in an api-key & api-secret header that looks like the following:
api-key: XXXXXXXXXXXXXXX-XXXXXXXXXXXXX-XXXXXXXXXXXX
api-secret: XXXXXXXXXXXXXXX-XXXXXXXXXXXXX-XXXXXXXXXXXX
For example, you could send an authenticated request like so:
curl --request POST \
  --url https://api.tryboxy.com/v1/merchants/orders \
  --header 'Content-type: application/json' \
  --header 'api-key: XXXXXXXXXXXXXXX-XXXXXXXXXXXXX-XXXXXXXXXXXX' \
  --header 'api-secret: XXXXXXXXXXXXXXX-XXXXXXXXXXXXX-XXXXXXXXXXXX' \
  --data '{ .... }'

Keep Your Key Safe#

Your API key give full access to Boxy's functionality and therefore should be guarded in the same way you would guard a password or other application credentials.
Limit who has access to your API key and to the Boxy account settings.
Store your keys in a safe place, such as a credential store or key vault.
Don't hard-code API keys in your source code or config files.
Ensure that your keys are kept out of any version control system, such as GitHub.
If your application runs on users' desktops, mobile devices, or web browsers, then your app's network traffic could be visible to your users - including your API keys. For this reason, we advise that you only call Boxy API from your server-side code, which runs safely within your network infrastructure.
💡

Deactivating Keys#

If your API key becomes compromised, you should deactivate it and replace it with a new one as quickly as possible. You can do so from your Boxy account API settings page.

Client-Side Apps & CORS#

Many customers develop client-side applications for interacting with the Boxy API. For example, you may have a web app or mobile app that your customers use to create orders through Boxy. If this is the case, make sure all requests to Boxy are sent from your server and not directly from the client application.
The main reason for this is that you would need to expose your API key to the client. To protect your account from unauthorized access you should never expose your API key to any client application.
The other reason is that web browsers and mobile apps will not allow a web page to access a resource on an other domain.
For example, if your app runs at https://my-app.com and you try to make a request to the Boxy API at https://api.tryboxy.com, the browser will generate an error because your domain, my-app.com, is different from the domain to which you are sending the API request, api.tryboxy.com. This prevents other web pages you visit from gaining access to the resource - a protection for both your client and the Boxy API.
One solution is to host your own API on the same domain as your application. Your client application interacts directly with your API and your backend server makes requests to Boxy. In this manner, your API is a layer between your client application and Boxy.
Some APIs may implement CORS (Cross Origin Resource Sharing) to allow web browsers and mobile applications to call the API directly. However, this is not the best practice for keeping private APIs like Boxy secure.
Modified at 2025-02-07 13:52:23
Previous
Environments
Next
Rate Limit
Built with