App Tokens and Rotation
Ikawaari exposes merchant app token operations for installed marketplace apps.
These tokens are environment-aware and are part of the merchant app framework rather than the generic API key system.
Implemented route family
Current routes include:
GET /api/v1/merchant/apps/installations/{installationId}/tokensPOST /api/v1/merchant/apps/installations/{installationId}/tokensPOST /api/v1/merchant/apps/tokens/{tokenId}/rotatePOST /api/v1/merchant/apps/tokens/{tokenId}/revoke
Legacy-compatible merchant paths may also be available under api/merchant/apps/*.
Create a token
POST /api/v1/merchant/apps/installations/{installationId}/tokens
The backend validates that:
- the installation belongs to the current merchant
- the installation is active
- the app is active
- the grant is active and not expired
Generated token prefixes are environment-specific:
ik_app_test_...ik_app_live_...
Rotate a token
POST /api/v1/merchant/apps/tokens/{tokenId}/rotate
Rotation creates a new token and revokes the old one.
Revoke a token
POST /api/v1/merchant/apps/tokens/{tokenId}/revoke
Security note
Full token values are only available at creation or rotation time. Store them securely and never expose them in client-side code.