Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.sellfern.com/llms.txt

Use this file to discover all available pages before exploring further.

Sellfern uses two authentication mechanisms: JWT-based session auth for the browser UI, and bearer tokens prefixed with sk_live_ for the REST API and integrations. If you are building an automation, script, or third-party integration, you will use a bearer token. The UI handles session auth automatically when you sign in.
API tokens grant programmatic access to your organization’s data. Store them in environment variables or a secrets manager — never commit them to source code or share them in public channels. A token cannot be retrieved after the moment it is created.

UI login

When you open Sellfern in a browser, you sign in using one of two methods: Email and password — Enter your registered email and password on the login page. Sellfern issues a JWT session token and loads the workspace. Google OAuth — Click Sign in with Google and complete the Google authorization flow. If your Google account is new to Sellfern, you will finish registration by setting an organization name and password before the workspace opens. Multi-organization accounts — If your account belongs to more than one organization, Sellfern presents an organization picker after you authenticate. Select the organization you want to enter; you can switch organizations later using the selector in the sidebar. Switching refreshes the workspace so all data — orders, stores, reports, settings — reflects the selected organization.

API tokens

API tokens let external scripts, agents, and integrations call the Sellfern REST API on behalf of your organization. Each token carries a set of scopes that limit what it can do.

Create a token

  1. Sign in to Sellfern and go to Settings → API Tokens.
  2. Click Create Token.
  3. Give the token a descriptive name (for example, n8n weekly report or order sync script).
  4. Select the scopes the token needs. Grant only the scopes required for the integration — see the table below.
  5. Optionally set an expiry date and a daily quota.
  6. Click Create. Copy the token value shown on screen.
The full token value is shown only once. Copy it immediately and store it securely. If you lose it, you must revoke the token and create a new one.

Available scopes

ScopeWhat it allows
orders:readRead order records and metadata
orders:writeCreate and update orders
orders:status:writeUpdate order status fields
analytics:readRead revenue, cost, and profit reports
fulfillment:readRead fulfillment and tracking records
fulfillment:writeUpdate fulfillment status and tracking
webhooks:manageCreate, update, and delete webhook endpoints

Using your token in requests

Pass your token in the Authorization header of every API request: 
curl -X GET "https://api.sellfern.com/api/v2/orders" \
  -H "Authorization: Bearer sk_live_YOUR_TOKEN_HERE"
Here is a second example that reads analytics data for the last 7 days: 
curl -X GET "https://api.sellfern.com/api/v2/analytics/summary?period=last_7_days" \
  -H "Authorization: Bearer sk_live_YOUR_TOKEN_HERE"
All API requests must include this header. Requests without a valid token are rejected with a 401 response.

Token security best practices

Following these practices keeps your organization’s data safe even if one token is compromised.
Scope minimally — Grant only the scopes the integration actually needs. A reporting script only needs analytics:read; it should not also have orders:write. Rotate regularly — Create a new token on a schedule (for example, every 90 days), update your integration to use it, then revoke the old one. Frequent rotation limits the exposure window if a token leaks. Store in environment variables — Load tokens from environment variables or a secrets manager at runtime. Never hard-code a token in source code or include it in a repository. Use one token per integration — Give each script or service its own token. If one is compromised, you can revoke it without affecting other integrations. Revoke unused tokens — Go to Settings → API Tokens, find tokens that are no longer in use, and revoke them. The activity log on each token shows recent usage.

Error responses

Sellfern returns standard HTTP status codes for authentication and authorization failures.
StatusMeaning
401 UnauthorizedThe token is missing, invalid, or has been revoked. Check that the token is correctly formatted and has not expired.
403 Forbidden (missing_scope)The token does not have the scope required by the endpoint. Add the required scope to the token, or create a new token with the correct scopes.