Guides / Authentication
Authentication
Merdi Express uses Bearer token auth. Every key is bound to a single environment — sandbox or live — and the prefix tells you which.
Key formats
| Prefix | Environment | Sample | Hits live systems |
|---|---|---|---|
| mk_test_ | Sandbox | mk_test_rh9ABekJfP31cN7sQ8jKvLwY | no |
| mk_live_ | Live | mk_live_8ZqAvR2nLkPyWxV4DfHcM6tB | yes |
| whsec_ | Webhook signing | whsec_aB3kPq9XmZ2nY7tR1cV8sFhJ | — |
Scopes & envs
Each key is issued against an account with a scope set. Default: shipments:read shipments:write tracking:read webhooks:*. Narrower scopes available on request.
curl · auth header
curl https://merdiexpress.com/api/v1/shipments \ -H "Authorization: Bearer mk_test_rh9ABekJfP31cN7sQ8jKvLwY" # 401 example: HTTP/1.1 401 Unauthorized { "error": { "type": "authentication_failed", "sys_code": 1401002, "message": "Key revoked or expired" } }
Rotation
Multiple active keys per account are allowed. Issue a new key, ramp traffic to it, then revoke the old — zero downtime. We recommend rotating live keys every 90 days.