Using the Colorlab API


Please follow these practices when implementing the Colorlab API:

As ignoring these practices could result in disabling your API keys, please feel free to contact Colorlab Support for assistance about how to implement your specific use-case.


For every request to the API, you need to send 3 custom HTTP headers:

Header Description
X-Colorlab-Shop The shop ID of your shop (displayed in the Settings page of the Colorlab Console).
X-Colorlab-Api-Key Your API key.
X-Colorlab-Api-Signature The signature generated on your side using an API secret. The signature is used to validate your request.

Every time you request an API endpoint, you need to send along a signature using the X-Colorlab-Api-Signature header. This signature guarantees that the request is valid and not accessible by other parties.

The signature is calculated on a per-endpoint basis. Every calculation involves your API secret.

Important: never send your API secret to the endpoint, only use it to generate the signature. This makes sure requests can only originate from the source which knows the API secret.

Rate limiting

The Colorlab API applies rate limiting to all endpoints following the leaky bucket algorithm.

You can make a maximum number of requests per minute. Each request counts equally, regardless
of how much or how little data is returned. All requests that are made after rate limits have been
exceeded are throttled and an HTTP 429 Too Many Requests error is returned.

When implementing the API, you should take into account that limits apply, and prevent exceeding these limits by:

Requests will succeed again after enough requests have emptied out within the timeframe.

For more information about the amount of requests and timeframes that apply to each endpoint, please contact Colorlab Support.