## Technical Partners
Get Your Partner Keys
Be sure to request your partner keys from the Postscript team. Request your partner API keys [here](🔗).
As a partner, you'll use your Private API Key for authorization/authentication.
If you're making requests to get, add, update or delete one of your Triggers you won't need any additional authorization.
If you're making requests on behalf of a Shopify shop (such as getting keywords, adding a subscriber, etc), you'll need to add the `
X-Postscript-Shop-Token` header with a shop's Private API Key (obtained from the shop). Shops can find their API Key [here](🔗). Shops will need to use their Private API Key within your partner requests (not their Public Key).
As a shop, you'll use your Private API Key for authorization/authentication.
You can find your API Key [here](🔗). You will need to use your Private API Key to authorize requests (not your Public Key).
To authorize and authenticate a request, use your Private API Key in the bearer token header, such as `
Authorization: Bearer sk_1234567890abc` (partners would see their token closer to `
Authorization: Bearer sk_partner_1234567890abc`). This allows for general authentication and conducts authorization of the various Postscript API endpoints.
## Legacy Authentication
Our legacy authentication method is still supported in the for of the basic auth header, such as `
Authorization Basic cGtfMTIzNDU2Nzg5MGFiYzo=`. Remember when using this method to always base64 encode this header where the username is your Private API Key and the password is blank, such as `
Do note that in order to access our API, you need to use your **private** API token. Because of this, be aware that you don't want to expose this (or a shop's token) to the outside world. That could lead to potential abuses.
For example, using Zapier’s triggers & actions, your client can send a webhook “trigger” to Zapier with your form data, and then have an “action” within Zapier that sends the authenticated API request to Postscript. This ensures that your Postscript API tokens aren’t exposed client-side (they’re only available within Zapier).