Snipcart Roles and Permissions Guide

Snipcart is a headless e-commerce platform that adds a shopping cart to any website. It uses a dashboard-based access model with API key authentication.

Permission Model

Account Owner

Full control over the Snipcart account including billing, API keys, team management, and all e-commerce operations.

Team Members

Can manage orders, products, and discounts. Cannot modify billing, API keys, or critical account settings.

API Key Types

# Public API Key (used in frontend HTML, identifies your store)
# Safe to include in client-side code
<div id="snipcart" data-api-key="YOUR_PUBLIC_KEY" hidden></div>

# Secret API Key (server-side only, full API access)
curl "https://app.snipcart.com/api/orders" \
  -H "Authorization: Basic $(echo -n 'YOUR_SECRET_KEY:' | base64)"

# Test keys vs Live keys (separate environments)
# Test: ST_... (public) / SK_... (secret)
# Live: PK_... (public) / SK_... (secret)

Analytics Integration

Snipcart fires JavaScript events that can feed analytics:

// Track Snipcart e-commerce events in GA4
document.addEventListener('snipcart.ready', function() {
  Snipcart.events.on('item.added', function(item) {
    gtag('event', 'add_to_cart', {
      currency: 'USD',
      value: item.price,
      items: [{ item_id: item.id, item_name: item.name }]
    });
  });

  Snipcart.events.on('order.completed', function(order) {
    gtag('event', 'purchase', {
      transaction_id: order.token,
      value: order.total,
      currency: order.currency
    });
  });
});

Best Practices

1. Never expose the Secret API key in client-side code -- only the Public key
2. Use test keys during development and switch to live keys for production
3. Set up Snipcart webhooks to sync order events to your analytics pipeline
4. Rotate Secret API keys periodically and store them in environment variables
5. Use team member access for staff who need order management without billing access