Fourthwall APIs | Fourthwall Dev Docs

# Overview ## Auth: API key #### Getting credentials Note that the creation of API credentials is reserved for users with the **SUPER ADMIN** role. 1. Navigate to [For developers](https://my-shop.fourthwall.com/admin/dashboard/settings/for-developers) to create an API user. 2. If API credentials haven't been generated yet, you will find a "Create API User" button under the "Open API" section. Click on it, and shortly after, the Username and Password for the Open API User will be provided. *Keep your API credentials confidential and do not share them with unauthorized personnel. These credentials grant access to sensitive data and actions within our system. Always use HTTPS/SSL for encrypted communication when making API requests.* #### Authorizing with credentials After Open API User was created, you can authorize your request by using **Basic Access Authentication**. This can be achieved by constructing an **Authorization** header with the format **Basic <base64-encoded-username-and-password>**. The base64-encoded credentials should be passed with each request to gain access to the protected resources. curl example: ```bash curl -u "your_username:your_password" http://api.fourthwall.com/open-api/v1/order/{YOUR_ORDER_ID} ``` Javascript example: ```javascript const username = "your_username"; const password = "your_password"; // Combine username and password with a colon const combinedCredentials = `${username}:${password}`; // Encode the combined credentials to Base64 const base64Credentials = btoa(combinedCredentials); const apiUrl = "http://api.fourthwall.com/open-api/v1/order/{YOUR_ORDER_ID}"; const requestOptions = { method: "GET", headers: { "Authorization": `Basic ${base64Credentials}`, "Content-Type": "application/json" } }; fetch(apiUrl, requestOptions) .then(response => response.json()) // Parse the JSON response directly .then(data => { // Handle the API response data here console.log(data); }) .catch(error => { // Handle errors console.error("Error:", error); }); ``` ## Rate limiting policy To ensure fair usage and maintain optimal system performance, we have implemented rate limiting for API requests. This means that each user is allowed a maximum of **100 requests** within a **10-second rolling window**. **What it means for you:** - You can make up to 100 requests within any 10-second period. - If you exceed this limit, any additional requests will be delayed until the 10-second window is reset. Please plan your API usage accordingly to avoid interruptions and ensure the smooth functioning of our services. ## Products RSS feed If you're just looking to read public product information, you do not need to use Open API. All sites publish a Merchant Center Feed under an RSS address: ``` {$shop_url}/.well-known/merchant-center/rss.xml ``` **Example:** for [https://shop.fourthwall.com](https://shop.fourthwall.com) the RSS feed url would be [https://shop.fourthwall.com/.well-known/merchant-center/rss.xml](https://shop.fourthwall.com/.well-known/merchant-center/rss.xml) ## Auth: Platform OAuth Right now, Platform OAuth is invite only. Please [contact us](https://docs.google.com/forms/d/1gRFnThFU8pq8Cfp3Rwy-hYS_mbUAvelu3bnER3DI8MY) to get access. We will need to know: 1. Your redirect URL 2. The permissions you need for the app #### Authorize url Link your users to this url to start the login process for your app. Always use my-shop.fourthwall.com as the shop url as this will link to the logged in user's current shop. ``` https://my-shop.fourthwall.com/admin/platform-apps/<YOUR_CLIENT_ID>/connect?redirect_uri=<YOUR_URL_ENCODED_REDIRECT_URL> ``` #### Getting an access token After the user has authorized your app, they will be redirected to your redirect URL with an authorization code. You will need to exchange this code for an access token. curl example: ```bash curl -XPOST https://auth.fourthwall.com/auth/realms/Fourthwall/protocol/openid-connect/token \ -H "Content-Type: application/x-www-form-urlencoded" \ -d "grant_type=authorization_code&redirect_uri=<YOUR_REDIRECT_URL>&client_id=<YOUR_CLIENT_ID>&client_secret=<YOUR_CLIENT_SECRET>&code=<AUTHORIZATION_CODE>" ``` The response will contain an `access_token`, `refresh_token`, and other information. #### Using the access token curl example: ```bash curl -XGET https://api.fourthwall.com/open-api/v1/order/{YOUR_ORDER_ID} \ -H "Authorization: Bearer YOUR_ACCESS_TOKEN" ``` #### Refreshing the access token Access tokens expire rather quickly (within 1 hour). You can use the refresh_token to get a new access token without having to re-authorize the user. curl example: ```bash curl -XPOST https://auth.fourthwall.com/auth/realms/Fourthwall/protocol/openid-connect/token \ -H "Content-Type: application/x-www-form-urlencoded" \ -d "grant_type=refresh_token&client_id=<YOUR_CLIENT_ID>&client_secret=<YOUR_CLIENT_SECRET>&refresh_token=<YOUR_REFRESH_TOKEN>" ```