Skip to main content
RMZ provides two ways to embed checkout on external websites:
  1. Widget script (recommended) — a single script tag + button with data attributes. The widget handles the entire UI and purchase flow automatically.
  2. Direct API — HTTP endpoints for building a fully custom checkout experience.
Most integrations should use the widget script. See the Embedding Checkout guide for a complete walkthrough.
Add the script and a button to any HTML page: 
<!-- RMZ Embed Code -->
<script src="https://embed-js.rmz.gg/rmz-embed.js"></script>
<button data-rmz-product="61200"
    data-rmz-key="rmz_pk_1_DIO7CqCNSyYtZSTVqqjU9VkT"
    data-rmz-theme="auto">Buy Product</button>
AttributeRequiredDescription
data-rmz-productYesProduct ID from your dashboard
data-rmz-keyYesEmbed public key (starts with rmz_pk_)
data-rmz-themeNoauto, light, or dark (default: auto)
Configure your embed key and allowed domains in Dashboard > Settings > Embed.

Direct API

If you need full control over the UI, use the API endpoints below.

Base URL

https://embed.rmz.gg/api/embed

Use Cases

  • Build a fully custom checkout UI
  • Integrate embed purchasing into a native mobile app
  • Create a headless embed flow with your own design

Authentication

The Embed API uses two authentication mechanisms depending on the endpoint:

1. Embed Key (Public Endpoints)

All requests must include your store’s embed public key. Pass it as a header or query parameter: 
X-Embed-Key: your_embed_public_key
You can find your embed key in Dashboard > Settings > Embed.
The embed key is public and safe to expose in client-side code. It only grants access to embed-scoped endpoints and is validated against your store’s allowed origins.

2. Sanctum Token (Authenticated Endpoints)

After a customer completes the OTP authentication flow, they receive a Sanctum Bearer token with limited abilities (embed:checkout, embed:validate). This token is used for authenticated checkout and token validation endpoints. 
Authorization: Bearer 1|abc123xyz...
X-Embed-Key: your_embed_public_key
Embed tokens are scoped to embed-only abilities. They cannot be used to access Storefront API or other platform endpoints.

Origin Validation

When you configure allowed origins in your embed settings, the API validates the Origin or Referer header of every request against that list. Requests from unauthorized domains are rejected with a 403 status. If no allowed origins are configured, requests from any origin are accepted.

Rate Limits

The Embed API enforces multi-layer rate limiting to prevent abuse:
ScopeLimitWindow
Per IP30 requests1 minute
Per IP200 requests1 hour
Per IP500 requests1 day
Global5,000 requests1 minute
Rate limit information is included in response headers: 
X-RateLimit-Limit: 30
X-RateLimit-Remaining: 27
Retry-After: 60
When a rate limit is exceeded, the API returns 429 Too Many Requests: 
{
  "success": false,
  "message": "Too many requests. Please try again later.",
  "error_code": "RATE_LIMIT_EXCEEDED",
  "retry_after": 60
}

Additional Auth Rate Limits

The OTP authentication endpoints have separate, stricter rate limits:
ScopeLimitWindow
OTP start per IP50 requests1 day
OTP start per phone10 requests1 day
OTP resend per IP20 requests1 day
OTP resend per phone3 requests10 minutes

CORS

Embed endpoints return permissive CORS headers since they are designed to be called from external websites via iframes or JavaScript: 
Access-Control-Allow-Origin: <requesting origin>
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
Access-Control-Allow-Headers: Content-Type, Authorization, X-Embed-Key, X-Requested-With, Accept, Origin
Access-Control-Allow-Credentials: false
Access-Control-Max-Age: 86400
Access-Control-Expose-Headers: X-RateLimit-Limit, X-RateLimit-Remaining, Retry-After
Vary: Origin
Preflight OPTIONS requests return 204 No Content with the appropriate headers.

Response Format

All Embed API endpoints return JSON with a consistent structure: 
{
  "success": true,
  "data": { ... }
}
Error responses include an error code and message: 
{
  "success": false,
  "message": "Human-readable error message",
  "error_code": "MACHINE_READABLE_CODE"
}

Endpoints at a Glance

Product Info

Fetch product details for the embed widget.

Coupons

Apply coupon codes and calculate discounts.

Authentication

OTP-based customer authentication flow.

Checkout

Create checkout sessions and initiate payments.

Payment Status

Check whether a payment has completed.