Checkout Shield for WooCommerce

Your CAPTCHA protects the form. This protects the API. Most store owners don't realize the attacks aren't even hitting their checkout page.

Checkout Shield API Keys for Headless or Custom Checkout

Checkout Shield API keys are for trusted custom checkout integrations that cannot use the normal browser token, cookie, and session validation path.

When to use an API key

A headless frontend posts checkout requests to WooCommerce.
A trusted internal service creates checkout requests.
A custom checkout flow cannot receive the normal Checkout Shield browser token.

Send the request header

Trusted integrations should send the generated key in the X-CCS-Key request header. A valid key allows the request to bypass normal shopper-session validation.

Request header

X-CCS-Key: your-generated-key

An example checkout request from a Node.js service:

checkout.js

const res = await fetch('https://store.example.com/wp-json/wc/store/v1/checkout', {
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
    'X-CCS-Key': process.env.CCS_API_KEY
  },
  body: JSON.stringify(checkoutPayload)
});

Key handling

Copy the key when it is generated and store it securely.
Do not expose the key in public browser JavaScript.
Delete unused keys immediately.
Rotate keys if a server or deployment environment is compromised.

See Classic Checkout and Checkout Blocks Protection for the standard browser flow this header bypasses, and IP Whitelist and Proxy/CDN Support for trusted IP ranges.

Search

Plugins ()

Posts ()

Pages ()

Menu

Resources

QUICK LINKS

RESOURCES