Skip to main content

title: “Authentication” description: “Learn how Boxpressd API keys work and how to securely connect your website to Boxpressd business data.”

The Boxpressd Sites SDK uses API keys to determine which business data your website can access. Every API key is associated with a specific Boxpressd business and automatically resolves the appropriate business context, allowing the SDK to load events, reviews, check-ins, sessions, and other business-specific content without additional configuration.

How Authentication Works

When your application initializes the BoxpressdProvider, the SDK uses the provided API key to: 1. Validate the key. 2. Determine the associated business. 3. Resolve the business type. 4. Load the appropriate data endpoints. This means developers do not need to manually configure venue IDs, brand IDs, or other identifiers. 
import { BoxpressdProvider } from "@boxpressd/sites-sdk"

export default function App() {
  return (
    <BoxpressdProvider
      apiKey={process.env.NEXT_PUBLIC_BOXPRESSD_API_KEY!}
    >
      {children}
    </BoxpressdProvider>
  )
}

Who Can Create API Keys?

API keys may be created by:

Boxpressd Staff

Boxpressd administrators can generate API keys for businesses directly through the administration panel. This is commonly used during onboarding or when assisting customers with website setup.

Business Owners and Managers

Authorized business users can generate and manage API keys through the Boxpressd Business Manager. This allows businesses to provide access to: * Internal development teams * Marketing agencies * Website contractors * Third-party developers

Agencies and Developers

Agencies and developers cannot create API keys unless they have been granted access by the business owner or Boxpressd staff. If you are building a website for a client, request an API key from the business you are working with.

Business Types

Each API key is associated with a specific business type. Currently supported business types include:
Business TypeDescription
venueCigar lounges, retailers, and smoking establishments
brandCigar manufacturers and cigar brands
The SDK automatically loads the correct endpoints based on the business type associated with the API key.

Storing API Keys

API keys should be stored using environment variables whenever possible. 
NEXT_PUBLIC_BOXPRESSD_API_KEY=your_api_key
Then reference the value in your application: 
<BoxpressdProvider
  apiKey={process.env.NEXT_PUBLIC_BOXPRESSD_API_KEY!}
>
  {children}
</BoxpressdProvider>

Development vs Production

You may use separate API keys for: * Local development * Staging environments * Production deployments This allows businesses to safely rotate keys without impacting active websites.

Key Rotation

If an API key is compromised or needs to be replaced: 1. Generate a new API key. 2. Update your environment variables. 3. Redeploy your application. 4. Revoke the old key. The SDK will begin using the new key immediately after deployment.

Security Best Practices

Follow these recommendations when working with Boxpressd API keys:

Do

* Store keys in environment variables. * Restrict access to authorized developers. * Rotate keys periodically. * Remove unused keys. * Use different keys for different environments.

Don’t

* Commit keys to source control. * Share keys publicly. * Embed keys in documentation or tutorials. * Post keys in support tickets or public forums.

Troubleshooting

Invalid API Key

If you receive an authentication error: 1. Verify the key was copied correctly. 2. Confirm the key has not been revoked. 3. Ensure the business account is active. 4. Verify you are using the correct environment variables.

No Data Appears

If components load but no data is returned: 1. Confirm the API key belongs to the expected business. 2. Verify the business has published content in Boxpressd. 3. Check that the API key has not expired or been rotated. 4. Confirm the provider is configured correctly.

Frequently Asked Questions

Can one website use multiple API keys?

The SDK is designed around a single business context per provider instance. Most websites should use a single API key.

Can I switch businesses dynamically?

Yes. Advanced implementations may initialize different provider instances with different API keys, though most sites are associated with a single venue or brand.

Do I need to know the business ID?

No. The SDK automatically resolves the business context associated with the API key.

Next Steps

Now that authentication is configured, continue to: * Provider * Business Context * Theming These guides explain how the SDK resolves business data and how to customize the appearance of Boxpressd components within your website.