Home / 

Authentication

Requests to Stedi APIs are authenticated using a secret token called an API key. Each API key belongs to a single account and each account can have multiple API keys.

Creating an API key

To create a new API key, go to the navigation menu at the top of the page, click on More and choose API Keys. Then, click on the Generate API key button on the top right.

You must provide a name for your API key. It can be anything you want, but typically you use it to describe the application that will use the key to call Stedi endpoints, like ERP, or Warehouse Management.

Your API key will be displayed in the Stedi dashbord. This is the only time you're presented with the full API key, so be sure to copy the key and store it in a secure location.

Remember: Your API key should be kept secret. Never share it or commit it to source control.

Making authenticated API calls

When making an HTTP request to a Stedi API, pass your API key in the Authorization header, prefixed by the word Key. For example, the following HTTP request retrieves a list of all mappings.

GET https://mappings.stedi.com/2021-06-01/mappings HTTP/1.1
Authorization: Key replace.withYourOwnApiKey
Content-Type: application/json

The next example is a bit more involved. We use Javascript and the Axios library to call EDI Core, which will translate EDI to JSON.

import axios from "axios";

const edi = `ISA*00*          *00*          *ZZ*SENDERISA      *14*0073268795005  *020226*1534*U*00401*000000001*0*T*>~
GS*PO*SENDERGS*007326879*20020226*1534*1*X*004010~
ST*850*000000001~
BEG*00*SA*A99999-01**19970214~
REF*VR*54321~
ITD*01*3*1**15**16~
DTM*002*19971219~
N1*BT*BUYSNACKS INC.*9*1223334444~
N3*P.O. BOX 0000~
N4*TEMPLE*TX*76503~
PO1**16*CA*12.34**CB*000111111*UA*002840022222~
PID*F****CRUNCHY CHIPS LSS~
PO4*48*7.89*LB~
CTT*7~
SE*35*000000001~
GE*1*1~
IEA*1*000000001~
`;

axios
  .request({
    url: "https://edi-core.stedi.com/2021-06-05/translate",
    method: "POST",
    data: { input: edi, input_format: "edi", output_format: "jedi@2.0" },
    headers: { Authorization: `Key ${process.env.API_KEY}` },
  })
  .then((response) => {
    const jedi = response.data.output;
    console.log(JSON.stringify(jedi));
  })
  .catch((error) => {
    console.error(error);
  });

Authentication still happens the same way: by passing the API key in the Authorization header. However, the code doesn't include the API key directly. The API key needs to be kept secret, so you shouldn't commit it to source control. The example above reads it from an environment variable called API_KEY.

Recommended security practices

API keys allow you to access and modify data in your Stedi account, so it's important that untrusted parties are not able to access them.

  • Don't share API keys. Use a different API key for each application that you build on Stedi and give each developer their own API key for testing.
  • Don't commit API keys to source control. Instead, use environment variables, or use the configuration facility provided by the framework you use.
  • Delete any API keys that are no longer used or that may have been exposed to an untrusted party.

Service Limits

Each account may have up to 50 API keys at one time.

Creating an API keyMaking authenticated API callsRecommended security practicesService Limits