Authentication
ReceiptKit uses API keys to authenticate requests. Each key is scoped to an organization and determines what actions are allowed.
API Key Types
ReceiptKit provides two types of API keys for different use cases:
Full access to all API endpoints. Used for server-to-server communication and Receipt Bridge configuration.
Permissions
- Send print jobs
- Register and manage bridges
- Sync templates and fonts
- Full MQTT publish/subscribe/retain
Restricted access, safe to use in browser-side code. Can send print jobs and read status, but cannot manage resources.
Permissions
- Send print jobs
- Subscribe to printer/bridge status
- Cannot register bridges or sync templates
- Cannot manage API keys or team
Which Key Should I Use?
| Use Case | Key Type | Why |
|---|---|---|
| Server-side API calls (Node.js, Python, etc.) | rk_live_ | Full access, key stays on your server |
| Receipt Bridge desktop app | rk_live_ | Bridge needs full access to register and sync |
| Browser/frontend print button | rk_pub_ | Key is visible in client-side code, restricted access limits risk |
| POS system integration | rk_pub_ | Only needs to send print jobs |
Creating API Keys
API keys are created in the ReceiptKit dashboard:
- Go to Settings → API Keys in the dashboard
- Click Create API Key
- Choose the key type (Secret or Public)
- Give it a descriptive name (e.g., "Production POS", "Development Bridge")
- Copy the key immediately — it won't be shown again
Important: API keys are shown only once when created. The key is stored as a SHA-256 hash in our database — we cannot retrieve the original key. If you lose a key, revoke it and create a new one.
Using API Keys
Include your API key in the Authorization header as a Bearer token:
Authorization: Bearer rk_live_your_api_key_herecurl -X POST https://receiptkit.io/api/bridge/print \
-H "Authorization: Bearer rk_live_abc123..." \
-H "Content-Type: application/json" \
-d '{"printerMac": "00:11:62:xx:xx:xx", "templateId": "...", "data": {...}}'const response = await fetch("https://receiptkit.io/api/bridge/print", {
method: "POST",
headers: {
"Authorization": "Bearer rk_live_abc123...",
"Content-Type": "application/json",
},
body: JSON.stringify({
printerMac: "00:11:62:xx:xx:xx",
templateId: "your-template-id",
data: { storeName: "My Store", total: "$9.99" },
}),
});Security Best Practices
- •Never expose
rk_live_keys in client-side code. Userk_pub_keys for browser-side integrations. - •Use environment variables to store API keys on your server. Never commit keys to version control.
- •Rotate keys regularly. You can have multiple active keys per organization. Create a new key, update your integration, then revoke the old one.
- •Revoke compromised keys immediately from the dashboard. Revocation is instant — the key will stop working on the next request.
- •Org-scoped isolation. Each API key is tied to one organization. A key from one org cannot access another org's printers, templates, or data.
MQTT Authentication
If you're using the @receiptkit/mqtt-client library, authentication is handled automatically. The library uses your API key to authenticate with the MQTT broker (AWS IoT Core) via a custom authorizer.
| MQTT Parameter | Value |
|---|---|
| Username | Your API key (rk_live_ or rk_pub_) |
| Password | Your organization ID |
| Topics | receiptkit/org/{orgId}/* |