Get started

Secret Key

Every request to the Shop.mn × PickPack API must include a Secret Key. Keys are issued per environment and per direction (Shop → PickPack and PickPack → Shop).

Secret Keys#

Each side of the integration receives a pair of keys — one for production traffic and one for sandbox traffic. Keys are scoped to a single environment and a single direction; they are not interchangeable.

sk_live_… — production secret key
sk_test_… — sandbox secret key

Keys will be exchanged out-of-band during onboarding. Shop.mn will provide your team with both keys via a secure channel.

Sending the key#

Pass the key in the X-Secret-Key header on every request:

http

X-Secret-Key: sk_live_8K3...zQ
Content-Type: application/json

Requests without an X-Secret-Key header or with an invalid key are rejected with 401 Unauthorized.

Webhook signing#

Webhooks delivered from Shop.mn to PickPack (and vice versa) are signed with an HMAC-SHA256 signature carried in the X-Shop-MN header. See the Webhooks section for the verification recipe.

Keep keys secret

Treat Secret Keys like passwords. Never embed them in client-side code, log them, or commit them to source control. If a key is exposed, contact Shop.mn immediately to rotate it.

Final scheme TBD

The exact key format, rotation policy, and IP allow-listing rules are still being finalised with PickPack. This page will be updated when the scheme is locked.