Authentication
RMZ uses different authentication methods depending on the API you are calling. This page covers all patterns.
Merchant API — Bearer Token
The Merchant API uses Laravel Sanctum tokens. You generate a token from your dashboard and include it in every request.
Getting a Token
- Go to Settings > API Keys in your dashboard
- Click Generate Token
- Copy and store the token securely
Tokens have full read/write access to your store. Never expose them in client-side code, public repositories, or logs.
Example Request
Invalid Token Response
Storefront API — OTP Authentication
The Storefront API authenticates customers (not merchants) using a phone/email OTP flow. This is a three-step process.
Step 1: Start Authentication
Send the customer’s phone number to begin the OTP flow:
Response:
Step 2: Verify OTP
Submit the OTP code the customer received:
For existing customers, you receive a Bearer token immediately:
For new customers, registration is required:
Step 3: Complete Registration (New Customers)
Using the Token
Once authenticated, include the token in subsequent requests:
Guest Cart
Unauthenticated users can still manage a cart using the X-Cart-Token header. See Guest Cart for details.
Embed API — Embed Key
The Embed API uses an X-Embed-Key header for authentication. The embed key is tied to a specific product and store.
The License Verification API does not use authentication headers. Instead, the product_id in the request body identifies the product, and the license_key is the credential being verified.
Supported Country Codes
OTP authentication in the Storefront API supports these country codes: