Skip to content

API Access & Tokens

Your storefront reads your finished catalog through the Malovex API. To authenticate those requests, you create an API token in the panel and give it to your storefront or connector.

You manage tokens under Sales Channels → API Access.

  • Each token belongs to your account. All requests made with it are scoped to your data only.
  • A token is shown in full once, at creation. Malovex stores only a hashed copy, so it can never be shown again — copy it somewhere safe immediately.
  • You can create as many tokens as you need. There is no per-plan limit on tokens.
  • Give each integration its own token so you can revoke one without disrupting the others.

When you create a token you choose its access level:

Access Can do Use for
Connector Read only — pull stores, products, prices, and changes. Storefront and connector integrations that only consume your catalog. This is the default.
Full Read and write — everything a connector token can, plus creating and updating stores, categories, attributes, price rules, and more. Automation that manages your Malovex configuration through the API.

Most storefront integrations only ever read, so Connector is the right choice unless you specifically need to write data back.

  1. Go to Sales Channels → API Access and choose Create token.

  2. Enter a token name — a label so you can tell your integrations apart, e.g. “Magento – production”.

  3. Choose the access level (Connector or Full).

    The create token form with fields for the token name and the access level
  4. Create the token. A dialog shows the full token value with a copy button.

  5. Copy it now — for security it will not be shown again. Paste it into your storefront’s Malovex configuration.

    The dialog showing the full API token value once, with a copy button and a warning that it will not be shown again

The token list shows each token’s name, access level, and when it was last used, so you can spot ones that are no longer active.

Send the token as a Bearer token in the Authorization header on every request:

Terminal window
curl https://api.malovex.com/v1/products \
-H "Authorization: Bearer mlx_xxx"

Malovex works out which account the request belongs to from the token itself — you never pass an account ID in the URL.

For the full API details, see the API Reference.

To revoke a token, delete it from the API Access list. The revocation is immediate — any request made with that token afterwards is rejected. Issue a fresh token and update the affected integration.