Authentication
All requests to the Pixee PIM API must be authenticated. The API supports two authentication methods: API keys (recommended for integrations) and JWT Bearer tokens (for user sessions).
API keys
API keys are long-lived credentials prefixed with pm_live_ (production) or pm_test_ (test). You can create and manage them in your account settings.
Never share your API key or commit it to source control. Keys are hashed at rest — the raw value is only shown once at creation. If a key is compromised, rotate it immediately.
Using an API key
Pass the key in the X-API-Key header on every request:
Authenticated request
curl https://api.pixeepim.com/api/v1/products \
-H "X-API-Key: pm_live_abc123..."
API key scopes
Each key is restricted to a set of scopes:
| Scope | Access |
|---|---|
products:read | Read products and catalog data |
products:write | Create and update products |
products:delete | Delete products and bulk delete |
categories:read | Read category tree and mappings |
suppliers:read | Read supplier catalog data |
imports:read | View import jobs and logs |
imports:write | Start and manage imports |
exports:read | View export jobs |
exports:write | Create and download exports |
ext:products:read | External API — read product catalog |
ext:products:write | External API — create and update products |
windev:read / windev:write / windev:sync | WinDev Integration — full WinDev sync access |
Creating an API key
- Log in at pixeepim.com.
- Navigate to Settings → API Keys.
- Click Create API Key, enter a descriptive name and select the required scopes.
- Copy the key immediately — it won't be shown again.
Rotating a key
Rotate an API key
curl -X POST https://api.pixeepim.com/api/v1/api-keys/{key_id}/rotate \
-H "X-API-Key: pm_live_abc123..."
The old key is invalidated immediately and a new one is returned.
JWT Bearer tokens
User sessions use short-lived JWT tokens (valid for 15 minutes by default). Obtain a token via the login endpoint:
Login
curl -X POST https://api.pixeepim.com/api/v1/auth/login \
-H "Content-Type: application/json" \
-d '{"email": "you@example.com", "password": "••••••••"}'
Response
{
"access_token": "eyJhbGc...",
"token_type": "bearer"
}
Use the token in the Authorization header just like an API key:
curl https://api.pixeepim.com/api/v1/products \
-H "Authorization: Bearer eyJhbGc..."
To refresh an expiring token:
The refresh token is sent automatically via the refresh_token HttpOnly cookie set at login. No Authorization header needed for this endpoint.
Refresh token
curl -X POST https://api.pixeepim.com/api/v1/auth/refresh \
-H "Content-Type: application/json"
Multi-tenant context
If your account manages multiple tenants, scope a request to a specific tenant with the X-Tenant-ID header:
Request with tenant context
curl https://api.pixeepim.com/api/v1/products \
-H "X-API-Key: {api_key}" \
-H "X-Tenant-ID: {tenant_id}"
Without this header, the request operates on your default account context.
Error responses
| Status | Meaning |
|---|---|
401 Unauthorized | Missing, invalid, or expired credential |
403 Forbidden | Valid credential but insufficient scope or permissions |
423 Locked | Account locked after too many failed login attempts |
See the Errors guide for the full error format.