Skip to main content
Get started
REST APIAuthentication
REST API

Authentication

Protect merchant endpoints with scoped bearer tokens while keeping public storefront reads easy.

Bearer auth on merchant endpoints — scope-to-route mapping, workspace scoping, idempotency.

Public storefront endpoints (/stores/*, /carts/*, /search) do not require auth. Merchant endpoints (/merchant/*) require a bearer token bound to the workspace that owns the site.

Public storefront

Anyone can read published catalog and run a guest checkout. CORS is wide open on GET endpoints; POST endpoints accept JSON bodies from the same headers as UCP.

bash
# No auth required:curl https://aly.store/api/storefront/v1/stores/acme/products

Merchant endpoints

Send Authorization: Bearer aly_... (API key) or Authorization: Bearer aly_oauth_...(OAuth token). Both carry a workspace id, a user id (for audit), and a granted scope set. The server checks every request against the route's required scope and the resource's workspace.

bash
curl https://aly.store/api/storefront/v1/merchant/orders \  -H "Authorization: Bearer aly_a8d9...e3c7"

Scope mapping

Which scope governs which endpoint family:

Endpoint familyRead scopeWrite scope
/merchant/productsread:contentwrite:content
/merchant/ordersread:orderswrite:orders
/merchant/customersread:customerswrite:customers
/merchant/customer-groupsread:customerswrite:customers
/merchant/analyticsread:analytics
/merchant/webhooksread:siteswrite:sites
/merchant/price-listsread:contentwrite:content
/merchant/media/assetsread:mediawrite:media

See Authentication for the full scope catalog and OAuth flow, and Operator vs storefront scopes for guidance on which scope set to request.

Session JWTs rejected
Like MCP, UCP, and A2A — the merchant REST endpoints reject browser session JWTs. Use a bearer token. This is enforced regardless of whether the request originates same-origin from the dashboard.

Workspace scoping

Tokens are bound to one workspace at issue time. Every request the server checks that the targeted resource (the site behind a product, an order's site, etc.) lives in the token's workspace. A request for a resource in a different workspace returns 403 forbidden_workspace.

Idempotency

State-changing endpoints accept (and recommend) an Idempotency-Key header. Replays with the same key return the original response; mismatched bodies under the same key return 409.

Updated

Was this page helpful?