# Public apps

To authenticate with ShopBase using a public app, you'll need to generate the credentials from your Partner Dashboard and then use them to implement [OAuth](https://developers.shopbase.com/build-an-app/making-your-first-request/authentication/oauth).

### Generate credentials from your Partner Dashboard

You can create a public application from your [Partner Dashboard](https://accounts.shopbase.com/partners).

To create an app:

1. Once you are ShopBase's partner, and you own a store, you could see **Manage public apps** from your profile menu. Click **Manage public apps** to go to your Partner Dashboard.
2. From your Partner Dashboard, click **Apps** > **Create app**.
3. Provide an app name and URL where you will place authentication url of your app.
4. Click **Create app**. You are directed to your app's overview page, where you can view the API key and API secret that you will need for OAuth.

![Create public app screen](https://3288751224-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LbgZ5I9YLGCL2kxzq2a%2F-Lc1wMMjResREM1bLlSx%2F-Lc1xavBelpOQ65dsgHG%2Fimage.png?alt=media\&token=119bf4fc-0f4a-4578-abdf-61cec31d5154)

### Manage Access From App to ShopBase

The Access Token is the primary method for your application to authenticate with the ShopBase system. To enhance connection security and reduce potential risks, we have implemented additional security layers.

Starting from May 21, 2025, 100% of API requests to ShopBase must comply with the following security layers:

* Mandatory Layer: Token Secret
* Optional Layer: Whitelisted IPs

#### Token Secret

The Token Secret is a confidential string that must be included in every request from your application to ShopBase. It must be passed in the HTTP header named `X-ShopBase-Token-Secret` .

To generate a Token Secret, go to Access Control >> Generate new secret.

<figure><img src="https://3288751224-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LbgZ5I9YLGCL2kxzq2a%2Fuploads%2FsV2xsU8W1Vt4t3i6JiIn%2Fimage.png?alt=media&#x26;token=8f82b773-a628-49b7-9e92-01c0a4cc0570" alt=""><figcaption><p>Generate new secret</p></figcaption></figure>

After clicking Generate, a new Secret will be created and displayed immediately. For security reasons, you must store it yourself — just like how you would store a password. We will permanently hide the secret right after you click Close.

<figure><img src="https://3288751224-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LbgZ5I9YLGCL2kxzq2a%2Fuploads%2FLs7i2ZruMd2M0MWvEuOW%2Fimage.png?alt=media&#x26;token=1ec16384-e2de-45a2-a9c0-6940d324af85" alt=""><figcaption><p>Copy new secret</p></figcaption></figure>

You can create and manage up to 3 Token Secrets at the same time. The Switch button allows you to enable or disable the active status of each secret individually, and the Delete button will permanently remove it.

<figure><img src="https://3288751224-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LbgZ5I9YLGCL2kxzq2a%2Fuploads%2FrVBv7dCFFjuYPGI3rLZv%2Fimage.png?alt=media&#x26;token=d4c9ac50-dcbb-4a94-b21c-07100eee5467" alt=""><figcaption><p>Manage list secret</p></figcaption></figure>

#### Whitelisted IPs

Whitelisted IP is an advanced security layer that allows you to configure specific IP addresses or IP ranges permitted to send requests from your application to ShopBase. This layer is not mandatory; however, we recommend using it to restrict access to trusted sources.

<figure><img src="https://3288751224-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LbgZ5I9YLGCL2kxzq2a%2Fuploads%2FZa6vVmwaXAS1BUB5CUsx%2Fimage.png?alt=media&#x26;token=df3e09f3-505d-4b56-98a5-4b678f79dfe3" alt=""><figcaption></figcaption></figure>

**Note**: Changes made in the Access Control section are not applied immediately. They will be synchronized with the system within up to **15 minutes**.

### Make authenticated requests <a href="#make-authenticated-requests" id="make-authenticated-requests"></a>

Public apps authenticate to ShopBase by including the `X-ShopBase-Access-Token` and  `X-ShopBase-Token-Secret` header fields in each HTTP request to the ShopBase API. This access token is obtained through an OAuth handshake. To learn more about how OAuth works, see [*OAuth*](https://developers.shopbase.com/build-an-app/making-your-first-request/authentication/oauth).