Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.skynetparts.com/llms.txt

Use this file to discover all available pages before exploring further.

Every request to the Skynet B2B Parts API needs a key. This page walks through how to get yours, how it works, and how to take care of it.

What is an API key?

An API key is a long, secret string we give you. You include it in every request and it tells us which Skynet B2B account is making the call. Think of it like a username and password rolled into one except it’s designed for machines (your scripts, ERP connectors, procurement bots) instead of people. Your key is tied to a specific Skynet B2B account and a specific Company Location within that account. Every order placed with the key is billed to that Location, at that Location’s negotiated B2B pricing tier.

How to get an API key

API keys are provisioned by the Skynet team. There’s no signup form and no self-serve portal you email us, we send you a key. This matches how other aerospace parts APIs (Boeing Distribution Services, Aviall, Satair) operate. Email info@skynetparts.com with:
  • Your Skynet company name
  • The email address of the person who will be integrating
  • The Company Location the key should be scoped to (if you have more than one)
  • A short note on what you plan to use the API for
We’ll generate a key and send it to the integration contact’s email. You’ll receive the raw key, the endpoint URLs, a copy-paste curl example, and a link back to this documentation. Most requests are turned around within one business day. Not yet a Skynet B2B customer? That’s the same email to use. We’ll help you set up an account first.

What your key looks like

A Skynet API key always starts with sk_live_ followed by a long random string of letters, numbers, and underscores. The total length is about 50 characters. For example: 
sk_live_a7f3c2e1b4d9...x9q2
The sk_live_ prefix tells you this is a production key — every call you make will hit our real catalog and place real orders billed to your account. The random part has enough entropy that nobody can guess one. There is no test version of the key. Treat every key as live.

How to use your key

Add the key to every request using the standard HTTP Authorization header a named field on an HTTP request. The format is Bearer (note the space) followed by your full key. 
Authorization: Bearer sk_live_a7f3c2e1b4d9...x9q2
A complete request looking up a single part looks like this end-to-end: 
curl -X POST https://api.skynetparts.com/api/b2b/catalog \
  -H "Authorization: Bearer sk_live_a7f3c2e1b4d9...x9q2" \
  -H "Content-Type: application/json" \
  -d '{"part_numbers": ["MS21042L3"]}'
Both the Look Up Parts and Place an Order endpoints require this exact header. The same key works for both there’s no separate “catalog key” and “orders key”.

Store your key safely

Treat your API key like a password. Anyone who has it can look up parts at your account’s pricing and place orders billed to your account.
Good places to store an API key:
  • A password manager (1Password, Bitwarden, etc.)
  • A secret manager (AWS Secrets Manager, HashiCorp Vault, Google Secret Manager, etc.)
  • An environment variable a setting on the machine on the host that runs your integration
Bad places to store an API key:
  • In source code committed to git, GitHub, GitLab, or any version control system
  • In a screenshot pasted into Slack, Teams, email, or a ticketing tool
  • In a Postman collection that gets shared with the team
  • In a config file checked into a repo, even a “private” one
  • Hardcoded in a script someone else will copy
After you’ve saved the key somewhere safe, delete the original email. The email is one more place the raw key sits fewer copies, fewer ways for it to leak.

Multiple keys for one account

You can request multiple API keys. Common reasons: separate keys for separate Company Locations, separate keys for separate environments (your production procurement bot vs. an internal QA bot), or separate keys for separate teams within your organization so individual access can be revoked without affecting everyone else. Each key is independent revoking one doesn’t affect any others. There’s no limit on the number of keys you can have. Email info@skynetparts.com to request additional keys.

How long does a key last?

API keys do not expire automatically. They keep working until you ask us to revoke them. There’s no annual renewal, no quarterly rotation forced by us, no expiry timer counting down. That said, rotating keys periodically is a good security practice. We recommend rotating at least once a year, or any time someone with access to the key leaves your team.

Rotating a key

To rotate a key without any downtime: request a new key while the old one still works, deploy the new key to your integration, confirm everything is working, then email us to revoke the old key. This way your integration never goes down there’s a window where both keys work, you flip over at your own pace, and then we revoke the old one. Don’t try to rotate by revoking the old key first. Once revoked, the old key returns 401 immediately on every request, and your integration will stop working until you’ve deployed the new key.

Lost or compromised key

If a key is lost, accidentally committed to a public repo, sent to the wrong person, or otherwise out of your team’s control, email api@skynetparts.com immediately. Use a subject line that signals urgency, like URGENT: revoke compromised key sk_live_a7f3.... Include the first 12 characters of the key (e.g., sk_live_a7f3) so we can identify which key to revoke. Don’t email us the full raw key — your inbox is one of the places it’s already too exposed. We’ll revoke the old key immediately and issue a replacement. From the moment we revoke, the old key returns 401 KEY_REVOKED on every request — there’s no delay or cache.

Frequently asked questions

No. Keys are created, listed, and revoked only via email to api@skynetparts.com. This is intentional — it means a compromised key cannot be used to mint more keys.
No automatic expiry. Keys work until you ask us to revoke them. We recommend rotating at least annually as a security practice.
Not at this time. Every key has the same access — both endpoints. If you need separation, request multiple keys and use them in different integrations.
Yes. The same key can be used from anywhere. We don’t restrict it to a specific IP or hostname. If you’d like better audit isolation, ask for separate keys per server or per script.
Idempotency keys are scoped to your API key. Two different customers using the same Idempotency-Key value will never collide — each sees only their own.
No. The raw key is shown to you exactly once — in the welcome email. After that, we can’t tell you what it was. If you lose the key, we revoke it and issue a new one. Your old integrations will need the new key dropped in.
Each key has a 4-character display prefix after sk_live_ (e.g., sk_live_a7f3). When you ask us to revoke or rotate, use this prefix to tell us which key you mean. Never send us the full raw key.
No. The random part of every key has enough entropy that guessing is computationally impossible — the universe will end before someone brute-forces a valid key.