Skip to main content

Overview

Sticker uses a secure, API-key-based authentication system for partner integrations. This guide explains how to authenticate your API requests and secure your integration.

API Key Authentication

All API requests must include your Partner API Key in the Authorization header: 
Authorization: Bearer your_partner_api_key_here
Never expose your API key in client-side code. All Sticker API calls must be made from your backend server.

Getting Your Credentials

When you sign up as a Sticker partner, you’ll receive:

Partner ID

A unique UUID identifying your organization

API Key

Your secret authentication token
Contact the Sticker team at suyash@sticker.com to request your credentials.

Environment Setup

Store your credentials securely as environment variables: 
STICKER_PARTNER_ID=70914863-7810-44c0-924b-ca72e6528eed
STICKER_API_KEY=sk_live_abc123...
STICKER_API_URL=https://api.usesticker.com/v1/
STICKER_SANDBOX_API_KEY=sk_test_abc123...
STICKER_API_SANDBOX_URL=https://api.staging.usesticker.com/v1/

Making API Requests

All API requests simply require your API key in the Authorization header: 
async function handshakeRequest(orgId, user) {
  const requestBody = {
    partner_org_id: orgId,
    user: user
  };
  
  const response = await fetch('https://api.staging.usesticker.com/v1/partner/handshake', {
    method: 'POST',
    headers: {
      'Authorization': `Bearer ${process.env.STICKER_SANDBOX_API_KEY}`,
      'Content-Type': 'application/json'
    },
    body: JSON.stringify(requestBody)
  });
  
  return await response.json();
}

Session Tokens

The handshake endpoint returns a time-limited session token that authenticates the user in the embedded iframe.

Session Token Properties

session_key
string
required
Single-use authentication token for iframe embedding
expires_in
number
Time until token expires (default: 300 seconds / 5 minutes)
is_used
boolean
Whether the token has already been consumed (always false on creation)

Using Session Tokens

<!-- Append session token to iframe URL -->
<iframe
  src="https://app.usesticker.com/${partnerOrgId}?session_key=${sessionKey}"
  width="100%"
  height="800px"
/>
Session tokens are single-use only. Once a user loads the iframe with a session token, that token becomes invalid. Generate a new token for each user session.

Security Best Practices

  • Store API keys in environment variables, never in code
  • Use secrets management systems (AWS Secrets Manager, HashiCorp Vault, etc.)
  • Rotate API keys regularly
  • Never commit API keys to version control
  • Never expose API keys in client-side code
  • Always use HTTPS for API requests
  • Validate SSL certificates
  • Use TLS 1.2 or higher
  • Implement certificate pinning for mobile apps
  • Generate new session tokens for each user login
  • Never reuse session tokens
  • Implement automatic session expiration
  • Clear tokens after user logout
  • Validate all input data before sending to API
  • Implement rate limiting to prevent abuse
  • Log all API requests for audit trails
  • Monitor for suspicious activity

OAuth Flow (Optional)

For partners with OAuth capabilities, Sticker supports an OAuth-based integration flow:
1

User Authorizes Access

User grants permission for Sticker to access their profile data
2

Exchange Authorization Code

Your backend exchanges the auth code for an access token
3

Send Access Token to Sticker

Include the access token in the organization setup request
{
  "organization": { /* ... */ },
  "users": [ /* ... */ ],
  "access_token": "oauth_access_token_here"
}
4

Automatic Data Sync

Sticker uses the access token to keep organization data in sync
OAuth flow is recommended for dynamic organizations where user data and addresses change frequently. Contact our team to enable OAuth for your integration.

Testing Authentication

Use our sandbox environment to test authentication without affecting production data: 
# Sandbox API URL
STICKER_API_SANDBOX_URL=https://api.staging.usesticker.com/v1/

# Test API Key (provided during onboarding)
STICKER_SANDBOX_API_KEY=sk_test_...
Test your authentication with a simple health check: 
curl https://api.staging.usesticker.com/v1/health \
  -H "Authorization: Bearer $STICKER_SANDBOX_API_KEY"

Common Authentication Errors

Cause: Invalid or missing API keySolution: Verify your API key is correct and included in the Authorization header
Cause: Valid API key but insufficient permissionsSolution: Contact Sticker support to verify your partner permissions
Cause: Token used after 5-minute expiration windowSolution: Generate a new session token for the user

Next Steps

Organization Setup

Learn how to provision organizations and users

User Handshake

Authenticate users and get session tokens