API Reference — Virtual Stores System
Base URL:
https://{slug}.store.inallweb.comAuthentication: Bearer JWT token inAuthorizationheader Content-Type:application/jsonTenant resolution: automatic via subdomain, custom domain, or JWT
Authentication
| Method | Endpoint | Auth | Description |
|---|---|---|---|
| POST | /api/auth/login | - | Login (admin or customer) |
| POST | /api/auth/register | - | Register new customer account |
| GET | /api/auth/me | Bearer | Get current user info |
| POST | /api/auth/refresh | Bearer | Refresh access token |
| POST | /api/auth/logout | - | Logout (client-side invalidation) |
| POST | /api/auth/forgot-password | - | Request password reset email |
| POST | /api/auth/reset-password | - | Reset password with token |
Products
| Method | Endpoint | Auth | Description |
|---|---|---|---|
| GET | /api/products | - | List products (filters: search, category_id, tag_id, min_price, max_price, stock_status, is_featured, is_active, sort_by, sort_dir; pagination: page, page_size) |
| GET | /api/products/{slug} | - | Get product by slug |
| POST | /api/products | Manager+ | Create a product |
| PUT | /api/products/{product_id} | Manager+ | Update a product |
| DELETE | /api/products/{product_id} | Manager+ | Delete a product |
| POST | /api/products/{product_id}/images | Manager+ | Upload product image (multipart: file or image, is_primary; max 10 MB) |
| DELETE | /api/products/{product_id}/images/{image_id} | Manager+ | Delete product image |
Product Variants
| Method | Endpoint | Auth | Description |
|---|---|---|---|
| GET | /api/products/{product_id}/variants | - | List variants for a product |
| POST | /api/products/{product_id}/variants | Manager+ | Create a variant |
| PUT | /api/products/{product_id}/variants/{variant_id} | Manager+ | Update a variant |
| DELETE | /api/products/{product_id}/variants/{variant_id} | Manager+ | Delete a variant |
Product Attributes
| Method | Endpoint | Auth | Description |
|---|---|---|---|
| GET | /api/attributes | - | List all attributes with values |
| POST | /api/attributes | Manager+ | Create an attribute (with optional values) |
| POST | /api/attributes/{attribute_id}/values | Manager+ | Add a value to an attribute |
| DELETE | /api/attributes/{attribute_id} | Manager+ | Delete an attribute |
Categories
| Method | Endpoint | Auth | Description |
|---|---|---|---|
| GET | /api/categories | - | List categories as tree or flat list (params: flat, include_inactive) |
| GET | /api/categories/{slug} | - | Get category by slug |
| POST | /api/categories | Manager+ | Create a category |
| PUT | /api/categories/{category_id} | Manager+ | Update a category |
| DELETE | /api/categories/{category_id} | Manager+ | Delete a category |
Tags
| Method | Endpoint | Auth | Description |
|---|---|---|---|
| GET | /api/tags | - | List all tags |
| POST | /api/tags | Manager+ | Create a tag |
| DELETE | /api/tags/{tag_id} | Manager+ | Delete a tag |
Cart
| Method | Endpoint | Auth | Description |
|---|---|---|---|
| GET | /api/cart | Optional | Get current cart (auth or X-Session-ID header) |
| POST | /api/cart/items | Optional | Add item to cart |
| PUT | /api/cart/items/{item_id} | Optional | Update cart item quantity |
| DELETE | /api/cart/items/{item_id} | Optional | Remove item from cart |
| POST | /api/cart/coupon | Optional | Apply coupon code to cart |
| DELETE | /api/cart/coupon | Optional | Remove coupon from cart |
| POST | /api/cart/merge | Bearer | Merge guest cart into authenticated user cart |
Guest carts use the
X-Session-IDheader for identification.
Orders
| Method | Endpoint | Auth | Description |
|---|---|---|---|
| GET | /api/orders | Staff+ | List orders (filters: status, payment_status, date_from, date_to, search; pagination) |
| GET | /api/orders/{order_id} | Staff+ | Get order by ID |
| GET | /api/orders/by-number/{order_number} | Bearer | Get order by order number |
| POST | /api/orders/checkout | Optional | Create order from cart (checkout) |
| PUT | /api/orders/{order_id}/status | Manager+ | Update order status |
| POST | /api/orders/{order_id}/fulfill | Staff+ | Fulfill order (add tracking: carrier, tracking_number, tracking_url) |
| POST | /api/orders/{order_id}/refund | Admin | Process refund (full or partial) |
| GET | /api/orders/{order_id}/timeline | Staff+ | Get order timeline events |
| POST | /api/orders/{order_id}/resend-email | Staff+ | Resend confirmation email to customer |
Checkout (Stripe Hosted)
| Method | Endpoint | Auth | Description |
|---|---|---|---|
| POST | /api/checkout/create-session | Bearer | Create Stripe Checkout Session for an order |
Payments (Stripe Connect)
| Method | Endpoint | Auth | Description |
|---|---|---|---|
| POST | /api/payments/create-intent | Bearer | Create Stripe PaymentIntent for an order |
| POST | /api/payments/refund | Admin | Create refund for an order |
| GET | /api/payments/connect/status | Admin | Get Stripe Connect onboarding status |
| POST | /api/payments/connect/onboard | Admin | Start Stripe Connect onboarding |
| GET | /api/payments/connect/balance | Admin | Get Stripe Connect balance |
| POST | /api/payments/connect/payout | Admin | Create manual payout |
| GET | /api/payments/connect/transactions | Admin | List recent transactions |
| GET | /api/payments/connect/payouts | Admin | List recent payouts |
| POST | /api/payments/webhook | - | Stripe webhook handler (legacy) |
Webhooks
| Method | Endpoint | Auth | Description |
|---|---|---|---|
| POST | /api/webhooks/stripe | - | Stripe webhook handler (payment_intent.succeeded, payment_intent.payment_failed, charge.refunded, charge.dispute.created, charge.dispute.closed, account.updated) |
Coupons
| Method | Endpoint | Auth | Description |
|---|---|---|---|
| GET | /api/coupons | Manager+ | List coupons (pagination) |
| POST | /api/coupons | Manager+ | Create a coupon |
| PUT | /api/coupons/{coupon_id} | Manager+ | Update a coupon |
| DELETE | /api/coupons/{coupon_id} | Manager+ | Delete a coupon |
| POST | /api/coupons/validate | - | Validate coupon code (public) |
Customers
Self-service (authenticated customer)
| Method | Endpoint | Auth | Description |
|---|---|---|---|
| GET | /api/customers/me | Bearer | Get own profile |
| PUT | /api/customers/me | Bearer | Update own profile |
| PUT | /api/customers/me/password | Bearer | Change own password |
| GET | /api/customers/me/preferences | Bearer | Get notification preferences |
| PUT | /api/customers/me/preferences | Bearer | Update notification preferences |
| GET | /api/customers/me/data-export | Bearer | GDPR: export all personal data (JSON) |
| DELETE | /api/customers/me | Bearer | GDPR: delete account and personal data |
Admin endpoints
| Method | Endpoint | Auth | Description |
|---|---|---|---|
| GET | /api/customers | Manager+ | List customers (filters: search, segment; pagination) |
| GET | /api/customers/{customer_id} | Manager+ | Get full customer detail (stats, orders, addresses, segment) |
| PUT | /api/customers/{customer_id} | Manager+ | Update customer |
| PUT | /api/customers/{user_id}/role | Admin | Change user role |
| GET | /api/customers/analytics/overview | Manager+ | Customer analytics (segments, trends, top customers) |
| GET | /api/customers/export | Admin | Export all customers as CSV |
Addresses
| Method | Endpoint | Auth | Description |
|---|---|---|---|
| GET | /api/addresses | Bearer | List own addresses |
| POST | /api/addresses | Bearer | Create an address |
| PUT | /api/addresses/{address_id} | Bearer | Update an address |
| DELETE | /api/addresses/{address_id} | Bearer | Delete an address |
Shipping
Admin
| Method | Endpoint | Auth | Description |
|---|---|---|---|
| GET | /api/shipping/zones | Admin | List shipping zones with methods |
| POST | /api/shipping/zones | Admin | Create a shipping zone |
| PUT | /api/shipping/zones/{zone_id} | Admin | Update a shipping zone |
| DELETE | /api/shipping/zones/{zone_id} | Admin | Delete a shipping zone |
| POST | /api/shipping/zones/{zone_id}/methods | Admin | Add method to zone |
| PUT | /api/shipping/methods/{method_id} | Admin | Update a shipping method |
| DELETE | /api/shipping/methods/{method_id} | Admin | Delete a shipping method |
Public
| Method | Endpoint | Auth | Description |
|---|---|---|---|
| GET | /api/shipping/calculate | - | Calculate shipping options (params: postal_code, country, weight, total) |
| POST | /api/shipping/calculate | - | Calculate shipping options (body: country, postcode, weight, subtotal) |
Taxes
| Method | Endpoint | Auth | Description |
|---|---|---|---|
| GET | /api/taxes | Admin | List tax rules |
| POST | /api/taxes | Admin | Create a tax rule |
| PUT | /api/taxes/{tax_id} | Admin | Update a tax rule |
| DELETE | /api/taxes/{tax_id} | Admin | Delete a tax rule |
| POST | /api/taxes/calculate | - | Calculate tax (public: tax_class, country, amount) |
Reviews
Public
| Method | Endpoint | Auth | Description |
|---|---|---|---|
| GET | /api/products/{product_id}/reviews | - | List approved reviews (filters: sort_by; pagination) |
| GET | /api/products/{product_id}/rating | - | Get average rating summary |
Customer
| Method | Endpoint | Auth | Description |
|---|---|---|---|
| POST | /api/products/{product_id}/reviews | Bearer | Submit a review |
Admin
| Method | Endpoint | Auth | Description |
|---|---|---|---|
| GET | /api/admin/reviews | Staff+ | List all reviews (filters: status, product_id; pagination) |
| PATCH | /api/admin/reviews/{review_id}/approve | Staff+ | Approve a review |
| DELETE | /api/admin/reviews/{review_id} | Staff+ | Delete a review |
Wishlist
Feature-gated: requires the "wishlist" addon to be active.
| Method | Endpoint | Auth | Description |
|---|---|---|---|
| GET | /api/wishlist | Bearer | List wishlist items |
| POST | /api/wishlist | Bearer | Add product to wishlist |
| DELETE | /api/wishlist/{product_id} | Bearer | Remove product from wishlist |
| GET | /api/wishlist/check/{product_id} | Bearer | Check if product is in wishlist |
| POST | /api/wishlist/share | Bearer | Generate shareable wishlist link |
| GET | /api/wishlist/shared/{token} | - | View shared wishlist (public) |
Dashboard
| Method | Endpoint | Auth | Description |
|---|---|---|---|
| GET | /api/dashboard/stats | Staff+ | Dashboard KPIs (orders, revenue, products, customers) |
| GET | /api/dashboard/stats/chart | Staff+ | Chart data (params: period = 7d, 30d, 12m) |
| GET | /api/dashboard/stats/breakdown | Staff+ | Order breakdown by status, payment, top categories |
Reports
| Method | Endpoint | Auth | Description |
|---|---|---|---|
| GET | /api/reports/sales | Manager+ | Sales report (params: period, group_by) |
| GET | /api/reports/products | Manager+ | Top products report (params: period, limit, sort_by) |
| GET | /api/reports/categories | Manager+ | Category breakdown report |
| GET | /api/reports/customers | Manager+ | Customer analytics (new vs returning, LTV) |
| GET | /api/reports/export | Manager+ | Export report as CSV (params: type, period) |
Pages (CMS)
| Method | Endpoint | Auth | Description |
|---|---|---|---|
| GET | /api/pages | - | List pages (pagination) |
| GET | /api/pages/{slug} | - | Get page by slug (public, active only) |
| POST | /api/pages | Manager+ | Create a page |
| PUT | /api/pages/{page_id} | Manager+ | Update a page |
| DELETE | /api/pages/{page_id} | Manager+ | Delete a page |
Templates
| Method | Endpoint | Auth | Description |
|---|---|---|---|
| GET | /api/templates | - | List active templates (public) |
| GET | /api/templates/{slug} | - | Get template by slug (public) |
| PUT | /api/tenants/current/template | Admin | Apply a template to current tenant |
Branding
| Method | Endpoint | Auth | Description |
|---|---|---|---|
| GET | /api/branding | Admin | Get branding (frontend-friendly names) |
| PUT | /api/branding | Admin | Update branding |
| POST | /api/branding/upload/{image_type} | Admin | Upload branding image (logo, banner, hero; max 5 MB) |
Tenant Settings
| Method | Endpoint | Auth | Description |
|---|---|---|---|
| GET | /api/tenant/settings | Admin | Get tenant settings |
| PUT | /api/tenant/settings | Admin | Update tenant settings |
| GET | /api/tenants/current | Admin | Get current tenant full details |
| PUT | /api/tenants/current | Admin | Update current tenant |
| PUT | /api/tenants/current/branding | Admin | Update branding (DB field names) |
Storefront (Public)
| Method | Endpoint | Auth | Description |
|---|---|---|---|
| GET | /api/storefront/branding | - | Get tenant branding for storefront (no auth, tenant via middleware) |
| GET | /api/storefront/products | - | List products (filters: search, category_slug, min_price, max_price, in_stock, featured, sort_by; pagination) |
| GET | /api/storefront/products/{slug} | - | Get product by slug (increments view count) |
| GET | /api/storefront/categories | - | List active categories with product counts |
| GET | /api/storefront/categories/{slug} | - | Get category by slug |
Plans & Addons
| Method | Endpoint | Auth | Description |
|---|---|---|---|
| GET | /api/plans | - | List all available plans |
| GET | /api/plans/addons | - | List all available addons |
| GET | /api/plans/tenant/{tenant_id}/features | - | Get active features for a tenant |
Audit Log
| Method | Endpoint | Auth | Description |
|---|---|---|---|
| GET | /api/admin/audit-log | Admin | Get paginated audit log (filters: resource_type, action, user_id, date_from, date_to) |
Integrations — Moloni
| Method | Endpoint | Auth | Description |
|---|---|---|---|
| GET | /api/integrations/moloni/authorize | Admin | Start Moloni OAuth2 authorization flow |
| GET | /api/integrations/moloni/callback | - | Moloni OAuth2 callback |
| GET | /api/integrations/moloni/status | Admin | Check Moloni connection status |
| POST | /api/integrations/moloni/invoice/{order_id} | Admin | Create Moloni invoice for an order |
| GET | /api/integrations/moloni/invoice/{order_id}/pdf | Admin | Get invoice PDF URL |
Migration
| Method | Endpoint | Auth | Description |
|---|---|---|---|
| POST | /api/migration/woocommerce/import | SysAdmin | Import products from WooCommerce |
SysAdmin — Platform Dashboard
| Method | Endpoint | Auth | Description |
|---|---|---|---|
| GET | /api/sysadmin/dashboard | SysAdmin | Platform-wide statistics (MRR, tenants, orders, revenue growth) |
| GET | /api/sysadmin/tenants | SysAdmin | List tenants with stats (filters: search, plan, sort_by, sort_order) |
| GET | /api/sysadmin/tenants/{tenant_id}/detail | SysAdmin | Get tenant detail with stats |
| GET | /api/sysadmin/tenants/{tenant_id}/users | SysAdmin | List tenant users |
| PUT | /api/sysadmin/tenants/{tenant_id}/suspend | SysAdmin | Suspend a tenant |
| PUT | /api/sysadmin/tenants/{tenant_id}/activate | SysAdmin | Activate a tenant |
| DELETE | /api/sysadmin/tenants/{tenant_id} | SysAdmin | Soft-delete a tenant |
Tenant Provisioning
| Method | Endpoint | Auth | Description |
|---|---|---|---|
| GET | /api/sysadmin/tenants | SysAdmin | List all tenants (pagination, search) |
| POST | /api/sysadmin/tenants | SysAdmin | Create new tenant with admin user |
| GET | /api/sysadmin/tenants/{tenant_id} | SysAdmin | Get tenant by ID |
| PUT | /api/sysadmin/tenants/{tenant_id} | SysAdmin | Update tenant (all fields) |
| POST | /api/sysadmin/tenants/{tenant_id}/activate | SysAdmin | Activate tenant |
| POST | /api/sysadmin/tenants/{tenant_id}/suspend | SysAdmin | Suspend tenant |
Health
| Method | Endpoint | Auth | Description |
|---|---|---|---|
| GET | /api/health | - | Health check |
Auth Levels Reference
| Level | Description |
|---|---|
| - | No authentication required (public) |
| Optional | Works with or without authentication |
| Bearer | Requires valid JWT token |
| Staff+ | Requires staff, manager, admin, or sysadmin role |
| Manager+ | Requires manager, admin, or sysadmin role |
| Admin | Requires admin or sysadmin role |
| SysAdmin | Requires sysadmin role (In All Web platform team) |