Key format
Two prefixes: pm_live_ for production, pm_test_ for sandbox. The body is 32 chars of base62, the prefix is plaintext for visual identification.
pm_live_4f3a8b9c2d1e7f6a5b4c3d2e1f0a9b8cDocs
REST API + MCP — everything documented.
OpenAPI 3.1 spec, 16 base tools, GDPR webhooks, rate limits per plan. The reference for shops integrating PackMate into their own stack.
Quickstart
Five minutes to first request
From install to your first authenticated API call. Works for both REST and MCP — same key, same tools, different transports.
- 1
Install PackMate on Shopify
Click "Install" on the App Store. PackMate runs on every plan, so you can start with Free.
- 2
Generate an API key
Settings → API & MCP → Generate key. Keys have prefix pm_live_ or pm_test_ for sandbox.
pm_live_4f3a8b9c2d1e... - 3
Make your first request
Use curl, fetch, or any HTTP client. The X-API-Key header authenticates every request.
curl https://packmate.shop/api/v1/health \ -H 'X-API-Key: pm_live_…' - 4
Next: connect MCP
If you want AI integration, the same key works for the MCP server. See /ai for Claude / ChatGPT setup.
Authentication
API keys, scopes, rotation
PackMate uses API keys with the X-API-Key header. Keys are SHA-256 hashed at rest, scoped to a shop, and can be rotated in one click.
Header format
Send the key in the X-API-Key header on every request. Bearer token in the Authorization header is also accepted.
X-API-Key: pm_live_…
# or
Authorization: Bearer pm_live_…Rotation
Generate a new key in the admin, swap it in your client, then revoke the old one. PackMate supports up to 5 active keys per shop for staged rotations.
DELETE /api/v1/keys/:key_id
Response: 204 No ContentScopes
Keys default to full read+write. Scoped keys (read-only, label-only) are on the roadmap — for now, use Shopify staff permissions to limit who can generate keys.
scope: read_only | label_only | full
# (read_only and label_only ship Q3 2026)Rate limits
Limits scale with your plan
Per-minute and burst limits. Bursts smooth out via token bucket — short spikes don't get blocked. Custom plans negotiate their own limits.
| Plan | Req / min | Burst | Concurrent |
|---|---|---|---|
| Free | 60 | 120 | 5 |
| Basic | 120 | 240 | 10 |
| Pro | 300 | 600 | 25 |
| Business | 600 | 1200 | 50 |
| Custom | neg. | neg. | neg. |
Swipe to see more
When you hit the limit, you get a 429 response with a Retry-After header. The header tells you how many seconds to wait.
Error codes
What it means when something fails
Standard HTTP semantics with PackMate-specific error bodies. Every error includes a machine-readable code field plus a human-readable message.
| Code | Meaning | Action |
|---|---|---|
400 | Bad request — body or query is malformed | Check the request shape against the OpenAPI spec. |
401 | Unauthorized — missing or invalid API key | Send X-API-Key header with a valid pm_live_ or pm_test_ key. |
402 | Payment required — plan cap reached | Upgrade plan or wait for next billing cycle. Use Bulk-Reconciliation after upgrade. |
403 | Forbidden — feature not in your plan | Currently only query_carrier_rates is plan-gated (Custom only). |
404 | Not found — resource doesn't exist | Verify the ID. For orders, the order may not yet be synced. |
422 | Unprocessable — semantic validation failed | Read the error.message — typically missing dimensions or invalid material. |
429 | Too many requests — rate limit hit | Back off using the Retry-After header. See rate limits table above. |
500 | Internal error — bug on our side | Retry once, then email support@packmate.shop with the request_id from the error body. |
503 | Service unavailable — maintenance or DB issue | Retry with exponential backoff. Status page at status.packmate.shop. |
Swipe to see more
Client error (4xx)Server error (5xx)
Webhooks
GDPR + lifecycle webhooks
PackMate registers six Shopify webhooks. Four are GDPR-mandatory; two are operational. All payloads are signed with HMAC-SHA256 — verify before processing.
customers/redactRequiredCustomer requested data deletion. PackMate redacts customer-related pack history within 30 days.
customers/data_requestRequiredCustomer requested a data export. PackMate compiles the export within 30 days.
shop/redactRequiredShop uninstalled 48 hours ago — Shopify mandates full data deletion within 30 more days.
app/uninstalledRequiredApp was uninstalled. PackMate stops billing immediately and starts the 30-day grace window.
products/updateOptionalProduct changed — PackMate refreshes cached dimensions and metafields.
app/scopes_updateOptionalRequired scopes changed — PackMate prompts the merchant to re-authorize.
All webhooks signed with HMAC-SHA256 using your app secret. Verify the X-Shopify-Hmac-SHA256 header before processing.
Ready to integrate? Generate a key.
Install PackMate, generate an API key, run your first request — all in under five minutes.