Authentication
SHINE SHOP DEV uses sk-... API keys for developer API traffic.
OpenAI-compatible requests usually use:
Authorization: Bearer sk-...Anthropic-compatible requests usually use:
x-api-key: sk-...anthropic-version: 2023-06-01Both forms are accepted by the public developer API.
API key rules
Section titled “API key rules”- Keys use an OpenAI-like
sk-...visible format. - Raw keys are shown exactly once when created or rotated.
- Store keys in environment variables or a secret manager, never in source code.
- Server storage is hash-only with a secret pepper.
- Later reads show only safe metadata such as prefix, suffix, scopes, name, status, creation time, and last-used time.
- Revoked keys stop working for future developer API requests.
- Key-like values sent in query parameters are rejected.
Developer API boundary
Section titled “Developer API boundary”Client tools and SDKs should only call the public compatibility endpoints:
OpenAI-compatible: https://api.shineshop.dev/v1Anthropic-compatible: https://api.shineshop.dev/anthropicOpenAI-compatible example:
curl https://api.shineshop.dev/v1/models \ -H "Authorization: Bearer $SHINESHOP_DEV_API_KEY"Anthropic-compatible example:
curl https://api.shineshop.dev/anthropic/v1/messages \ -H "x-api-key: $SHINESHOP_DEV_API_KEY" \ -H "anthropic-version: 2023-06-01" \ -H "Content-Type: application/json" \ -d '{"model":"codex/gpt5.5","max_tokens":20,"messages":[{"role":"user","content":"Say OK"}]}'Web sessions
Section titled “Web sessions”The website panel uses the existing email OTP and magic-link session. Web sessions and API keys are separate credentials.
Developer API boundary
Section titled “Developer API boundary”Use only the documented public base URLs. SHINE SHOP DEV API keys are developer credentials and are not forwarded as model-provider credentials. No other service hostnames are user-facing API requirements.