Storefront API
Browser-safe endpoints for catalog, cart, checkout, and customer auth.
The Storefront API is the surface a headless storefront talks to. Everything
under /api/v1/store/* accepts a publishable key (pk_live_…) and is
CORS-safe for any origin in the shop's allowlist.
Authentication
Send your publishable key on every request:
X-Sellvik-Key: pk_live_a1b2c3_AbCdEf...Customer-bound endpoints (anything that returns or mutates a specific
customer's data) additionally require a customer JWT in Authorization:
X-Sellvik-Key: pk_live_a1b2c3_AbCdEf...
Authorization: Bearer eyJhbGciOiJIUzI1NiIs...Cart endpoints accept a X-Sellvik-Cart token instead of (or alongside) the
customer JWT to identify a guest cart.
See Authentication for the full model.
Base URL
https://api.sellvik.appAll v1 paths also resolve from https://<shop-subdomain>.sellvik.com and
any attached custom domain. Use the canonical host in code.
Endpoints
| Resource group | Description |
|---|---|
| Catalog | Products and categories, public read. |
| Cart | Guest and customer-bound carts. |
| Checkout | Convert a cart to an order. |
| Customer auth | Signup, login, refresh, logout. |
| Customer profile | Self-service: me, order history. |
Capabilities
Publishable keys have no per-call scopes. Their ceiling is the union of
endpoint surfaces above — nothing in /v1/admin/* is reachable.
Rate limit
600 requests per minute per key. See Rate limits.