Cloud Bridge
Get started

Authentication

Two methods: API keys for programmatic access, Firebase tokens for the dashboard.

Authentication methods

Method Header Used for
API key x-api-key External integrations, webhooks, preset operations
Firebase token Authorization: Bearer <token> Dashboard, account management, credentials, billing

API key authentication

API keys are used for all programmatic access to Cloud Bridge, including store integrations and direct API calls. Pass your key in the x-api-key header with every request.

Example: Authenticated request
curl -X POST https://your-project.cloudfunctions.net/api/auth/login \
  -H "Content-Type: application/json" \
  -H "x-api-key: ndsp_live_xxxxxxxxxxxxxxxx" \
  -d '{"email": "user@example.com", "password": "..."}'

Creating API keys

Create API keys from the API Tokens page in your dashboard. Each key gets a unique identifier and a one-time-visible secret:

  • The full key is shown once at creation. Copy it immediately.
  • After dismissal, only a masked preview (e.g., ndsp_...x4f2) is stored.
  • You can create multiple keys for different stores or environments.
  • Keys can be deactivated but not deleted to preserve audit history.

Rate limiting

API keys are rate-limited to 100 requests per hour by default. If you exceed this limit, you receive a 429 Too Many Requests response. The limit resets on a rolling window.

Rate limit exceeded response
{
  "error": {
    "message": "Rate limit exceeded",
    "code": "RATE_LIMIT_EXCEEDED"
  }
}

Firebase token authentication

The Cloud Bridge web dashboard uses Firebase Authentication. When you sign in with email/password or Google, Firebase issues an ID token that is included in all account management requests.

This method is used for:

  • Managing NDSP credentials (save, validate, delete)
  • Creating and listing API keys
  • Viewing usage statistics
  • Managing store integrations
  • Credit purchases and billing management
Note: Firebase tokens are handled automatically by the web dashboard. You don't need to manage them manually unless you're building a custom client.

Webhook signature verification

Store webhooks use HMAC signature verification to ensure the request originated from your store platform. Each store integration has its own signing secret.

The verification process varies by platform:

  • Shopify, validates the X-Shopify-Hmac-Sha256 header
  • WooCommerce, validates the X-WC-Webhook-Signature header
  • Generic, validates the X-Webhook-Signature or X-NDSP-Signature header using HMAC-SHA256

See the Webhooks guide for payload and signature details.

Error responses

Authentication errors return standard JSON error objects:

Status Code Description
401 UNAUTHORIZED Missing or invalid API key / token
403 FORBIDDEN Key is inactive or lacks permission
429 RATE_LIMIT_EXCEEDED Too many requests in the time window