Agentic Commerce

Authentication

API key authentication for ACP checkout operations

| View as Markdown
1 min read
# acp # agentic-commerce # authentication # api-key # bearer-token # rate-limit

ACP uses Bearer token authentication for checkout operations. Product discovery endpoints are public and require no authentication.

Getting Your ACP API Key

  1. Log into build.chipp.ai
  2. Navigate to your application
  3. Click Publish in the sidebar, then Catalog
  4. In the API Keys section, click Create API Key
  5. Copy the key immediately — it is only shown once
ℹ️

ACP API keys are separate from Chat API keys. They use the acp_ prefix and are scoped to the ACP checkout endpoints.

Using Your API Key

Include your ACP API key in the Authorization header:

bash
Authorization: Bearer acp_xxxxx

Example

bash
curl -X POST https://build.chipp.ai/acp/{appId}/checkout_sessions \
  -H "Authorization: Bearer acp_xxxxx" \
  -H "Content-Type: application/json" \
  -d '{
    "line_items": [
      { "product_id": "550e8400-e29b-41d4-a716-446655440000", "quantity": 1 }
    ]
  }'

Which Endpoints Need Auth?

EndpointAuth Required
GET /.well-known/agent.jsonNo
GET /productsNo
POST /checkout_sessionsYes
GET /checkout_sessions/{id}Yes
POST /checkout_sessions/{id}Yes
POST /checkout_sessions/{id}/completeYes
POST /checkout_sessions/{id}/cancelYes

Key Format

ACP API keys always start with the acp_ prefix, followed by 32 random characters:

plaintext
acp_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6

Keys are stored as SHA-256 hashes. The raw key is returned only once at creation time. If you lose it, revoke the key and create a new one.

App Scoping

Each API key is bound to a specific application. The appId in the URL must match the application the key was created for. If they don’t match, you’ll receive a 403 error.

Error Responses

401 Unauthorized

Missing or invalid token:

json
{ "error": { "code": "unauthorized", "message": "Missing or invalid Authorization header" } }

Invalid key format (missing acp_ prefix):

json
{ "error": { "code": "unauthorized", "message": "Invalid API key format" } }

Key not found or revoked:

json
{ "error": { "code": "unauthorized", "message": "Invalid API key" } }

API key has expired:

json
{ "error": { "code": "expired", "message": "API key has expired" } }

403 Forbidden

API key doesn’t belong to the application in the URL:

json
{ "error": { "code": "forbidden", "message": "API key does not match application" } }

Rate Limits

ACP endpoints are rate-limited per time window (1 minute):

Route TypeLimitKeyed By
Public (discovery)200 requests/minClient IP
Authenticated (checkout)60 requests/minAPI key

When a rate limit is exceeded, the API returns a 429 response with a Retry-After header indicating how many seconds to wait:

json
{ "error": "Rate limit exceeded" }
plaintext
HTTP/1.1 429 Too Many Requests
Retry-After: 12