Skip to main content
The API Access page lets you manage the tokens that your storefront, analytics, and developer integrations use to call the Layers APIs. From here you can create new tokens, rotate every token at once, and control which response fields are exposed to clients. Managing API tokens requires the Manage API keys permission, which is available to the Owner, Admin, and Developer roles.

Create an API token

  1. Go to Settings > API Access.
  2. Create a token, give it a descriptive name, and select the permissions it needs.
  3. Copy the token value and store it somewhere safe — you won’t be able to see it again.

Rotate API keys

Rotating keys regenerates the value of every API token on your store while keeping each token’s name, permissions, and default flag intact. Use it when a key may have been exposed, when an integration partner changes, or as part of a routine security review.
Existing API keys stop working immediately after rotation. Update every storefront, analytics, and developer integration with the new keys before rotating in production.
  1. Go to Settings > API Access.
  2. Select Rotate API keys in the page header.
  3. Confirm the action in the dialog.
  4. Copy the new token values from the tokens list and update each integration that uses them.
After rotation, event ingestion endpoints are resynced with the new keys before the old keys are revoked, so a correctly updated storefront keeps tracking without interruption.

Configure response options

The Expose variant inventory toggle controls whether per-variant inventory levels are returned in API responses. Turn it on if your storefront needs to show stock counts or hide sold-out variants, and turn it off to keep inventory data private. Changes save automatically.

Review app connections

The App Connections table lists every OAuth app that a team member has connected to this store — for example, MCP clients authorized through the Layers MCP server. Each row shows the app, the user who authorized it, and its current access.
  • App — the connecting app’s name and OAuth client ID, with its logo if the app supplied one.
  • Connected by — the team member who authorized the connection. A connection can never exceed that user’s own access.
  • Current access — the permissions the connection can currently exercise. Layers intersects the permissions the user originally granted with the permissions that user still has today. Tightening a role automatically narrows every connection it created.
  • StatusValid when the connection retains at least one working permission, or No access when permission changes have left the connection with nothing it can do. No access rows are safe to revoke.
Use the search box to filter by app name, user, or permission. To revoke a connection, remove the underlying permission from the user’s role or ask the user to disconnect the app from their MCP client.

Next steps