Skip to main content
Personal Access Tokens (PATs) let you call the OrderProtection API directly for the stores you already have access to, without building and installing an app. They’re the fastest way to script against your own data — pulling analytics, reading orders, or automating claim workflows.
PAT vs. OAuth — which do I use?
  • Use a Personal Access Token to access your own account’s stores — internal scripts, data exports, back-office automation. No app, no marketplace, no install step.
  • Use OAuth to build an app that other merchants install. The app receives tokens scoped to whatever each merchant granted at install time.

How a PAT is scoped

A PAT inherits the identity of the user who created it:
  • Account — the token is permanently bound to your account. It can only ever read data belonging to that account. This binding is fixed at creation time and does not change afterward.
  • Stores — the token can only act on stores where you have a role. If you lose access to a store, the token loses it too.
  • Scopes — you choose a subset of your permissions when creating the token (see Scopes below). A token can never exceed the permissions you already hold.
A PAT cannot grant access you don’t already have. If you don’t have a role on a store, you cannot create a token for it — the store will be rejected with a “Store denied” error.

Creating a token

Create and manage Personal Access Tokens from your OrderProtection dashboard:
  1. Click your avatar in the top corner, then select Personal Access Tokens.
  2. Click Create token, give it a name, and select the stores and scopes it should carry.
  3. (Optional) Set an expiration date.
  4. Click Create. The full token is shown once — copy it immediately and store it somewhere safe.
The raw token value is revealed only at creation. If you lose it, revoke the token and create a new one — it cannot be shown again.

Token format

Personal Access Tokens are prefixed with op_pat_:
op_pat_8508b7432c45f79827460fea_ajhnyH-9t8Jy4j8JyNtKVak2efAhJ88R...

Using a token

Send the token as a Bearer token in the Authorization header — exactly like an OAuth access token:
curl -X GET "https://api.production.orderprotection.com/v1/analytics/tables/orders" \
  -H "Authorization: Bearer op_pat_8508b7432c45f79827460fea_ajhnyH..."
const response = await fetch(
  "https://api.production.orderprotection.com/v1/analytics/tables/orders",
  {
    headers: { Authorization: "Bearer op_pat_8508b7432c45f79827460fea_ajhnyH..." },
  }
);
const body = await response.json();
Because a PAT can be scoped to multiple stores, endpoints that support multiple stores will return data for all of the token’s authorized stores by default. Use the store_ids query parameter to narrow a request to specific stores.

Available scopes

A Personal Access Token can carry any subset of the following scopes. Scope names use the domain:verb format.
ScopeDescription
analytics:readRead store analytics and reporting data (see the Analytics API)
order:readRead order data
order:updateCreate and update orders
claim:readRead claim data and status
claim:createFile new claims
claim:updateUpdate existing claims
order-note:readRead order notes
order-note:createAdd order notes
order-note:updateUpdate order notes
order-note:deleteDelete order notes
fulfillment:readRead fulfillment data
fulfillment:createCreate fulfillments
fulfillment:updateUpdate fulfillments
A token only receives the scopes you select and already hold. Selecting a scope you don’t have will be rejected at creation.

Revoking a token

Revoke a token at any time from your avatar → Personal Access Tokens. Revocation takes effect immediately — any further requests using that token return 401 Unauthorized.
Rotate tokens periodically and revoke any token that may have been exposed. Treat a PAT like a password: never commit it to source control or embed it in client-side code.