Skip to main content


Manage your secret API key to authenticate requests with Wino.

Each access to the data (catalog products, transactions ...) of an account (= an organization composed of one or more shops) is secured by a token system.

To execute a GraphQL query, you must send a POST request to the Wino /graphql endpoint with your desired query and the secret API key as below.

curl \
-H "Content-Type: application/json" \
-H "Authorization: Bearer xxxx" \
-d '{ "query": "{ # my query }" }' \

The secret API key is then passed to the headers of your request within the Authorization property.

Also know that :

  • Each query/mutation made with this token will be logged in our service as coming from your identity.

  • There is no notion of scope for access to your data. You benefit by default from an "admin" type role.

  • Wino authenticates your API requests using your account’s API keys. If you do not include your key when making an API request, or use one that is incorrect or outdated, Wino returns an error.


Your secret API key should be kept confidential and only stored on your own servers. It can perform any API request to Wino without restriction. Treat your secret API key as you would any other password. Grant access only to those who need it. Control access to your key using a password manager or secrets management service.

This secret API key allows you to make calls from a server and should never be used to make browser-side calls.

Obtaining your secret API key

To have access to the API URL and the secret API key, please contact the Wino team by email at