Get API key
Guides / Authentication

Authentication

Merdi Express uses Bearer token auth. Every key is bound to a single environment — sandbox or live — and the prefix tells you which.

Key formats

PrefixEnvironmentSampleHits live systems
mk_test_Sandboxmk_test_rh9ABekJfP31cN7sQ8jKvLwYno
mk_live_Livemk_live_8ZqAvR2nLkPyWxV4DfHcM6tByes
whsec_Webhook signingwhsec_aB3kPq9XmZ2nY7tR1cV8sFhJ

Scopes & envs

Each key is issued against an account with a scope set. Default: shipments:read shipments:write tracking:read webhooks:*. Narrower scopes available on request.

curl · auth header
curl https://merdiexpress.com/api/v1/shipments \
  -H "Authorization: Bearer mk_test_rh9ABekJfP31cN7sQ8jKvLwY"

# 401 example:
HTTP/1.1 401 Unauthorized
{
  "error": {
    "type": "authentication_failed",
    "sys_code": 1401002,
    "message": "Key revoked or expired"
  }
}

Rotation

Multiple active keys per account are allowed. Issue a new key, ramp traffic to it, then revoke the old — zero downtime. We recommend rotating live keys every 90 days.