Authorization header. The merchant API Key never leaves the server.
Session tokens are scoped by
buyerIdentity + visitingStoreId and only authorize operations on records that belong to that customer within that store. They cannot read merchant-wide state.Required headers on every call
| Header | Value |
|---|---|
Authorization | Bearer <session-token> (the JWT returned by Issue Session Token) |
X-Environment | test or prod (must match the environment the token was minted for) |
Endpoints
Preview Trial
Check whether the customer is eligible for a trial period
Create One-time Order
Create a one-time order for the authenticated customer
Cancel One-time Order
Cancel a pending one-time order before payment completes
Create Subscription Order
Subscribe the authenticated customer to a recurring plan
Cancel Subscription
Cancel an active or pending subscription on behalf of the customer
Reactivate Subscription
Reverse a pending cancellation while still in
cancelingChange Product
Switch the active subscription to a different product
GraphQL
Query the customer’s own orders, payments, and refunds
Token-path errors
These errors are surfaced only on the session-token call path:| Status | errors[0].message | What it means |
|---|---|---|
| 400 | Missing X-Context-Buyer-Identity header | Token did not carry a buyer identity claim — re-mint the token |
| 400 | Missing X-Context-Visiting-Store-Id header | Token was not scoped to a store — re-mint with visitingStoreId |
| 401 | Authentication failed | Session token expired, malformed, or signed for a different merchant |