Every Studio API request needs a studio API key. Keys are created in the store UI, never over the API itself.
Creating a key
- Open your studio’s dashboard and go to Settings → API.
- Click New key, give it a recognisable name (e.g. “Discord bot”), and pick a tier:
- Basic, free. Reads your studio profile, products, and version history.
- Premium, requires an active Branding+ subscription. Everything in Basic, plus sales, revenue summaries, timeseries, and top products.
- Copy the key immediately. It is shown exactly once, only a hash is stored on our side.
A key looks like:
nmk_studio_9f4c1e2ab37d85f60b1a4c9d2e7f30581a6b4c8d
Managing keys requires the Manage settings permission on the studio (owners always have it). A studio can have at most 10 active keys.
Sending the key
Use the x-api-key header (recommended):
curl https://nmcrate.com/api/public/v1/studio/products \
-H "x-api-key: nmk_studio_..."
Or as a bearer token:
curl https://nmcrate.com/api/public/v1/studio/products \
-H "Authorization: Bearer nmk_studio_..."
Key tiers and the live subscription check
The tier is a property of the key, chosen at creation:
- A basic key never gets premium access, even while the studio is subscribed. This lets you hand a basic key to a third-party integration without exposing your sales data.
- A premium key works on premium endpoints only while the studio’s Branding+ subscription is currently active. The subscription is verified live on every request; if it ends, premium endpoints respond with
403 SUBSCRIPTION_INACTIVE until the plan is renewed. Free endpoints keep working with the same key throughout.
Scope and isolation
- A studio key identifies the studio, not the member who created it. It only works on
…/public/v1/studio/* endpoints and can only read its own studio’s data.
- Studio keys are rejected everywhere else on the public API (
401 STUDIO_KEY_NOT_ALLOWED), and personal keys (nmk_live_…) are rejected on studio endpoints (401 STUDIO_KEY_REQUIRED).
- Browser sessions are not accepted on studio endpoints.
Revoking a key
Revoke a key any time from Settings → API. Revocation takes effect immediately: the next request with that key returns 401 REVOKED_API_KEY. Revocation cannot be undone, create a new key instead.
Treat keys like passwords. Don’t commit them to git, don’t ship them in client-side code, and revoke any key you suspect has leaked.