SmartDepot Developers

Händler mit SmartDepot verbinden

Baue sichere Warenkorb-, Bestell- und Versandintegrationen. Starte sofort in der isolierten Sandbox und beantrage den Produktionszugang, sobald alles bereit ist.

curl https://sandbox-api.smartdepot.org/api/v1/orders \
  -H "Authorization: Bearer $TOKEN" \
  -H "Idempotency-Key: order-4711" \
  -H "Content-Type: application/json" \
  --data @order.json

1. Sandbox

App registrieren und Testzugangsdaten einmalig erhalten.

2. OAuth + PKCE

Kunden wählen Workspace und ausdrückliche Schreibrechte.

3. Production

Domains und Anwendungsfall zur Prüfung einreichen.

Quickstart

OAuth Authorization Code

  1. Generate a PKCE verifier and S256 challenge.
  2. Open /oauth/authorize with requested scopes.
  3. Exchange the one-time code at /oauth/token.
  4. Send the bearer token to Orders or Shipments.

Security contract

  • Access tokens expire after 15 minutes; refresh tokens rotate.
  • Idempotency-Key is mandatory on write endpoints.
  • Cart handoffs use timestamped HMAC-SHA256 requests.
  • No inventory, workspace or user read API is exposed.
// JavaScript (server-side)
await fetch(`${api}/api/v1/orders`, {
  method: "POST",
  headers: {
    Authorization: `Bearer ${token}`,
    "Idempotency-Key": order.id,
    "Content-Type": "application/json"
  },
  body: JSON.stringify(order)
});
<?php
$client = new GuzzleHttp\Client();
$client->post($api . '/api/v1/shipments', [
  'headers' => [
    'Authorization' => 'Bearer ' . $token,
    'Idempotency-Key' => $shipment['external_shipment_id']
  ],
  'json' => $shipment
]);

Endpoints & errors

MethodPathAuthentication
POST/api/v1/cart-handoffsHMAC
POST/api/v1/ordersorders:write
POST/api/v1/shipments shipments:write

Errors use stable codes including invalid_token, insufficient_scope, invalid_payload, order_not_found and idempotency_conflict. Rate-limited requests return HTTP 429.

Changelog

v1.0.0 — Cart handoff, OAuth/PKCE, Orders and Shipments API.

PHP and JavaScript clients use the same standard HTTP and OAuth flows shown in the OpenAPI description. Secrets must remain server-side and can be rotated from the console.