Authentication

Most Plato APIs use API keys created in Console. Create keys from Console API Keys. Use a dedicated key per integration so it can be rotated or removed without affecting other tools.

Preferred Header

For most API requests, send the key as a Bearer token:

Authorization: Bearer plato_your_api_key

Example:

curl "https://api.plato.ae/api/public/cms/products/list" \
  -H "Authorization: Bearer $PLATO_API_KEY"

Alternative Header

Some integrations use x-api-key:

x-api-key: plato_your_api_key

Example:

curl "https://api.plato.ae/api/public/cms/products/list" \
  -H "x-api-key: $PLATO_API_KEY"

Query Parameter

Older REST endpoints also accept apiKey in the query string:

curl "https://api.plato.ae/api/public/menu/products?apiKey=$PLATO_API_KEY"

Use headers for new server-side integrations. Query strings can appear in logs, browser history, analytics tools, and shared URLs.

SDK Authentication

The Plato SDK sends the Bearer header for you.

import { createPlatoApiClient } from "plato-api-sdk";

const plato = createPlatoApiClient({
  baseUrl: "https://api.plato.ae",
  apiKey: process.env.PLATO_API_KEY,
});

Keep PLATO_API_KEY on the server. Do not expose it in browser JavaScript or mobile apps.

Session Authentication

The profile endpoint uses the signed-in user session instead of an API key. Use session-based endpoints only when the request is being made for a signed-in user. API-key integrations should use the API-key routes documented in this section.

Key Safety

Store API keys in environment variables or a secret manager.
Do not paste keys into public code, screenshots, support tickets, or docs.
Rotate keys when a tool owner changes.
Delete keys that are no longer used.
Give each key the smallest role that still lets the integration work.

​Preferred Header

​Alternative Header

​Query Parameter

​SDK Authentication

​Session Authentication

​Key Safety