diff --git a/server/src/routes/etsy.ts b/server/src/routes/etsy.ts
index 077b554..9a031d4 100644
--- a/server/src/routes/etsy.ts
+++ b/server/src/routes/etsy.ts
@@ -44,11 +44,11 @@ const loadConfig = async (userId: string): Promise<EtsyConfig | null> => {
   return { apiKey, sharedSecret, redirectUri };
 };
 
-// Keystring is the OAuth client id; Etsy wants the shared secret in the
-// x-api-key header for API resource calls
+// Keystring is the OAuth client id; API resource calls want the x-api-key
+// header formatted as "keystring:sharedsecret"
 const toCredentials = (config: EtsyConfig) => ({
   clientId: config.apiKey,
-  apiKeyHeader: config.sharedSecret || config.apiKey,
+  apiKeyHeader: config.sharedSecret ? `${config.apiKey}:${config.sharedSecret}` : config.apiKey,
 });
 
 // Where to send the browser after the OAuth callback: same origin as the