API keys and scopes

Authentication

Authorization: Bearer sk_live_...

Store-scoped: one store per key
Hashed at rest (SHA-256); prefix sk_live_ with first 12 chars shown in dashboard
Cannot access Merchant Admin session APIs

Scope	Access
`invoices:read`	List and read invoices
`invoices:write`	Create and cancel invoices
`transactions:read`	Read on-chain payment transactions
`payment_links:read` / `payment_links:write`	Payment links
`webhooks:read` / `webhooks:write`	Webhook endpoints and deliveries

Use transactions:read (not legacy payments:read).

Key	Scopes	Use
Bootstrap	`woocommerce:bootstrap`	Connect only (24h)
Dedicated	`invoices:create`, `invoices:read`, Woo scopes	Plugin runtime (auto-issued)

Dedicated keys cannot access payment links, transaction list, or developer webhook management.

HTTP 403:

{
  "error": {
    "type": "permission_error",
    "code": "INSUFFICIENT_SCOPE",
    "message": "Missing transactions:read scope"
  }
}

⌘I