Overview

Storefront applications use API key authentication to access the Crave API. This is a simple, secure way to authenticate your requests without complex session management.

Getting Your API Key

  1. Visit dashboard.craveup.com/developers
  2. Sign up or log in to your Crave developer account
  3. Navigate to API Keys in the developer section
  4. Create a new API key with appropriate permissions
  5. Copy and securely store your API key
  6. Note your Location ID from the dashboard

Alternative Methods

  • Merchant Partnership: Contact your merchant partner directly
  • API Generation: Admin API endpoints (Enterprise tier only - contact support for beta access)
  • Support: Email hello@craveup.com for assistance

Environment Setup

Add these environment variables to your .env.local: 
# Required - Your API key from the merchant
CRAVE_API_KEY=your_api_key_here

# Required - API base URL
CRAVE_API_BASE_URL=https://api.cravejs.com

# Required - Location ID for this storefront
NEXT_PUBLIC_LOCATION_ID=your_location_id_here

# Required for payments - Stripe publishable key
NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY=pk_test_...

Making Authenticated Requests

Include your API key in the X-API-Key header: 
// Fetch menu items
const response = await fetch(`${process.env.CRAVE_API_BASE_URL}/api/v1/locations/${locationId}/menus`, {
  headers: {
    'X-API-Key': process.env.CRAVE_API_KEY,
    'Content-Type': 'application/json'
  }
});

const menu = await response.json();

API Client Helper

Create a simple API client for consistency: 
// lib/api-client.js
const API_BASE_URL = process.env.CRAVE_API_BASE_URL;
const API_KEY = process.env.CRAVE_API_KEY;

export async function craveApi(endpoint, options = {}) {
  const url = `${API_BASE_URL}/api/v1${endpoint}`;
  
  const response = await fetch(url, {
    ...options,
    headers: {
      'X-API-Key': API_KEY,
      'Content-Type': 'application/json',
      ...options.headers
    }
  });
  
  if (!response.ok) {
    throw new Error(`API request failed: ${response.status}`);
  }
  
  return response.json();
}

// Usage
const menu = await craveApi(`/api/v1/locations/${locationId}/menus`);

Rate Limits

  • Limit: 200 requests per 10 minutes per IP address
  • Headers:
    • X-RateLimit-Remaining: Requests remaining in current window
    • X-RateLimit-Reset: When the rate limit resets (Unix timestamp)
  • Exceeded: Returns 429 status with retry information

Error Handling

Common error responses: 
// Handle API errors
try {
  const data = await craveApi('/api/v1/locations/invalid-id');
} catch (error) {
  if (error.message.includes('401')) {
    // Invalid API key
    console.error('Check your API key');
  } else if (error.message.includes('403')) {
    // Merchant subscription required
    console.error('Merchant needs active subscription');
  } else if (error.message.includes('429')) {
    // Rate limit exceeded
    console.error('Too many requests, please wait');
  }
}

Security Best Practices

  • Never expose API keys in client-side code
  • Use environment variables for key storage
  • Use HTTPS in production
  • Implement proper error handling

Testing

Test your authentication setup: 
// Test API connection
async function testConnection() {
  try {
    const response = await craveApi(`/api/v1/locations/${process.env.NEXT_PUBLIC_LOCATION_ID}`);
    console.log('API connection successful:', response);
  } catch (error) {
    console.error('API connection failed:', error);
  }
}
That’s it! Simple API key authentication is all you need for storefront development.