Skip to main content

Overview

The Waffo Pancake API lets you programmatically manage your entire payment infrastructure:
  • Create and manage stores
  • Create products (one-time and subscription)
  • Generate checkout sessions and process orders
  • Manage subscriptions and billing
  • Query data via GraphQL
  • Handle refunds

Base URL

All API requests are made to: 
https://waffo-pancake-auth-service.vercel.app/v1

Architecture

The API uses a hybrid approach:
  • REST endpoints (/v1/actions/...) for all write operations (create, update, delete)
  • GraphQL (/v1/graphql) for all read operations (queries)
All REST endpoints use POST method exclusively. There are no GET, PUT, PATCH, or DELETE methods.

TypeScript SDK

The official @waffo/pancake-ts SDK wraps the entire API with full type safety. It handles authentication, request signing, idempotency keys, and webhook verification automatically. 
npm install @waffo/pancake-ts

import { WaffoPancake } from "@waffo/pancake-ts";

const client = new WaffoPancake({
  merchantId: process.env.WAFFO_MERCHANT_ID!,
  privateKey: process.env.WAFFO_PRIVATE_KEY!,
});
Every endpoint documented below includes an SDK example alongside the REST/cURL examples. Full SDK documentation →

Authentication

Waffo Pancake uses API Key authentication for all programmatic API access. API Keys provide secure server-to-server communication.
API Key authentication is handled automatically by the SDK. Install @waffo/pancake-ts, provide your Merchant ID and private key, and the SDK will handle request signing automatically.
For public-facing checkout flows, use Store Slug authentication with the X-Store-Slug header. Learn more about authentication —>

Common Headers

HeaderRequiredDescription
Content-TypeYesAlways application/json
X-Store-SlugConditionalStore slug (for public checkout flows)
X-EnvironmentConditionaltest or prod (required with Store Slug auth)
X-Idempotency-KeyOptionalUnique ID for write operations (cached 24h)

Request Format

  • Method: All write endpoints use POST
  • Body: JSON
  • IDs: UUID v4 format (e.g., 550e8400-e29b-41d4-a716-446655440000)
  • Timestamps: ISO 8601 UTC (e.g., 2026-01-23T00:00:00.000Z)
  • Amounts: Smallest currency unit as integers (e.g., 2900 = $29.00 USD)
  • Currencies: ISO 4217 codes (e.g., USD, EUR, JPY)
  • Status values: Always lowercase (e.g., active, not ACTIVE)

Example Request

import { WaffoPancake } from "@waffo/pancake-ts";

const client = new WaffoPancake({
  merchantId: process.env.WAFFO_MERCHANT_ID!,
  privateKey: process.env.WAFFO_PRIVATE_KEY!,
});

const { store } = await client.stores.create({ name: "My Store" });

Response Format

Success

{
  "data": {
    "store": {
      "id": "550e8400-e29b-41d4-a716-446655440000",
      "name": "My Store",
      "status": "active",
      "createdAt": "2026-01-15T10:30:00.000Z",
      "updatedAt": "2026-01-15T10:30:00.000Z"
    }
  }
}

Error

{
  "data": null,
  "errors": [
    {
      "message": "Store name is required",
      "layer": "store"
    }
  ]
}
In the errors array, errors[0] is the root cause of the failure. Subsequent entries represent higher-level callers in the request chain.

Error Layers

LayerDescription
gatewayRequest routing / infrastructure
userUser authentication or authorization
storeStore operations
productProduct operations
orderOrder operations
graphqlGraphQL query errors

HTTP Status Codes

CodeDescription
200Success
400Bad Request — invalid parameters
401Unauthorized — authentication failed
403Forbidden — insufficient permissions
404Not Found
409Conflict — idempotent request already in progress
429Rate Limited — too many requests
500Internal Server Error
501Not Implemented
502Bad Gateway

Environments

Switch between test and production using the X-Environment header:
EnvironmentHeader ValueDescription
TestX-Environment: testNo real charges, isolated data
ProductionX-Environment: prodReal transactions
API Key authentication does not require the X-Environment header — the environment is determined by the key’s registered environment. The X-Environment header is required when using Store Slug authentication.

Idempotency

Prevent duplicate write operations by including an X-Idempotency-Key header: 
curl -X POST https://waffo-pancake-auth-service.vercel.app/v1/actions/checkout/create-session \
  -H "Content-Type: application/json" \
  -H "X-Store-Slug: your-store-slug" \
  -H "X-Environment: test" \
  -H "X-Idempotency-Key: unique-request-id-12345" \
  -d '{"productId": "...", "productType": "onetime", "currency": "USD"}'
  • Keys are cached for 24 hours
  • Same key returns the same response without re-executing
  • If the original request is still processing, returns 409 Conflict

Endpoint Groups

Authentication

API Key signatures and Store Slug auth

Stores

Create, update, and delete stores

One-Time Products

Create and manage one-time purchase products

Subscription Products

Create tiered subscription products

Orders

Create orders and checkout sessions

Subscriptions

Manage subscription lifecycle

Refunds

Request and process refunds

GraphQL

Query data with GraphQL