Quick Start
Welcome to the Memberstack Admin REST API! This guide will help you get started with the server-side REST API that allows you to manage members, verify tokens, and perform other administrative tasks programmatically from your server.
Before You Start
- Access to your Memberstack secret key (found in your Memberstack dashboard)
- A server-side environment to make secure API requests
- For paid functionality, a Memberstack account with an active billing method is required
Authentication
The Memberstack Admin REST API uses secret keys to authenticate requests. These keys provide full access to your account, so they must be kept secure.
Secret Key Management
You can view and manage your API keys in the Memberstack dashboard. There are two types of keys:
Test Mode Keys
- Prefix:
sk_sb_
- Use for development and testing
- Limited to 50 test members
- No real charges processed
Live Mode Keys
- Prefix:
sk_
- Use for production environments
- No member limits
- Real charges processed
Security Warning: Your secret keys carry administrative privileges, so keep them secure and use them in server-side environments only! Never use your secret keys in publicly accessible places like:
- Webflow, WordPress, or other CMS platforms
- GitHub or other public repositories
- Client-side code (browser JavaScript)
- Mobile applications
Rate Limits
The Memberstack Admin REST API has a rate limit of 25 requests per second. If you exceed this limit, you'll receive a 429 (Too Many Requests) error.
Making API Requests
Learn how to structure your API requests to the Memberstack Admin REST API.
Base URL
All API requests should be made to the following base URL:
Authentication Headers
Include your secret key in the X-API-KEY
header with every request:
When making API requests:
- Always store your API key in environment variables
- Set proper content headers (
Content-Type: application/json
) for POST/PATCH - Handle potential rate limiting with exponential backoff
- Implement proper error handling for all responses
Security Best Practices
Follow these best practices to ensure your integration with the Memberstack Admin REST API is secure.
Secret Key Storage
- Store secret keys in environment variables or a secure vault system (like AWS Secrets Manager, Hashicorp Vault, etc.)
- Use different keys for development and production environments
- Consider implementing key rotation for enhanced security
- Limit key access to only necessary team members
Server-Side Implementation
- Only make API calls from secure server environments (Node.js, Python, Ruby, PHP, etc.)
- Never expose endpoints that directly proxy your secret key
- Use HTTPS for all API communication to ensure encryption of data in transit
- Implement proper validation and sanitization for any user input that influences API calls
Error Handling
- Implement proper error handling for all API responses
- Avoid exposing detailed error messages to clients that might reveal implementation details
- Log errors securely for debugging without exposing sensitive information
- Consider implementing retry logic with exponential backoff for transient errors
Example Implementation
Here's a secure example of implementing the Memberstack Admin REST API in a Node.js environment:
Next Steps
Now that you understand the basics, you might want to explore:
Need Help?
Having trouble getting your login working? We're here to help!