Skip to main content

Authentication

RMZ uses different authentication methods depending on the API you are calling. This page covers all patterns.

Merchant API — Bearer Token

The Merchant API uses Laravel Sanctum tokens. You generate a token from your dashboard and include it in every request.

Getting a Token

  1. Go to Settings > API Keys in your dashboard
  2. Click Generate Token
  3. Copy and store the token securely
Tokens have full read/write access to your store. Never expose them in client-side code, public repositories, or logs.

Example Request

Invalid Token Response


Storefront API — OTP Authentication

The Storefront API authenticates customers (not merchants) using a phone/email OTP flow. This is a three-step process.

Step 1: Start Authentication

Send the customer’s phone number to begin the OTP flow:
Response:

Step 2: Verify OTP

Submit the OTP code the customer received:
For existing customers, you receive a Bearer token immediately:
For new customers, registration is required:

Step 3: Complete Registration (New Customers)

Using the Token

Once authenticated, include the token in subsequent requests:

Guest Cart

Unauthenticated users can still manage a cart using the X-Cart-Token header. See Guest Cart for details.

Embed API — Embed Key

The Embed API uses an X-Embed-Key header for authentication. The embed key is tied to a specific product and store.

License API — No Auth Header

The License Verification API does not use authentication headers. Instead, the product_id in the request body identifies the product, and the license_key is the credential being verified.

Supported Country Codes

OTP authentication in the Storefront API supports these country codes: