Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.rmz.gg/llms.txt

Use this file to discover all available pages before exploring further.

Authentication

RMZ uses different authentication methods depending on the API you are calling. This page covers all patterns.

Merchant API — Bearer Token

The Merchant API uses Laravel Sanctum tokens. You generate a token from your dashboard and include it in every request. 
Authorization: Bearer YOUR_API_TOKEN

Getting a Token

  1. Go to Settings > API Keys in your dashboard
  2. Click Generate Token
  3. Copy and store the token securely
Tokens have full read/write access to your store. Never expose them in client-side code, public repositories, or logs.

Example Request

curl -X GET "https://merchant-api.rmz.gg/shawarma/store" \
  -H "Authorization: Bearer 1|AbCdEfGhIjKlMnOpQrStUvWxYz" \
  -H "Accept: application/json"

Invalid Token Response

{
  "message": "Unauthenticated."
}

Storefront API — OTP Authentication

The Storefront API authenticates customers (not merchants) using a phone/email OTP flow. This is a three-step process.

Step 1: Start Authentication

Send the customer’s phone number to begin the OTP flow: 
curl -X POST "https://front.rmz.gg/api/auth/start" \
  -H "Content-Type: application/json" \
  -d '{
    "country_code": "966",
    "phone": "501234567"
  }'
Response: 
{
  "success": true,
  "message": "Verification code sent successfully",
  "data": {
    "session_token": "auth_abc123xyz"
  }
}

Step 2: Verify OTP

Submit the OTP code the customer received: 
curl -X POST "https://front.rmz.gg/api/auth/verify" \
  -H "Content-Type: application/json" \
  -d '{
    "session_token": "auth_abc123xyz",
    "code": "1234"
  }'
For existing customers, you receive a Bearer token immediately: 
{
  "success": true,
  "data": {
    "type": "authenticated",
    "token": "1|abc123xyz...",
    "cart_token": "cart_xyz789",
    "customer": {
      "id": 123,
      "first_name": "Ahmed",
      "last_name": "Ali"
    }
  }
}
For new customers, registration is required: 
{
  "success": true,
  "data": {
    "type": "new",
    "requires_registration": true,
    "session_token": "auth_abc123xyz"
  }
}

Step 3: Complete Registration (New Customers)

curl -X POST "https://front.rmz.gg/api/auth/complete" \
  -H "Content-Type: application/json" \
  -d '{
    "session_token": "auth_abc123xyz",
    "email": "ahmed@example.com",
    "firstName": "Ahmed",
    "lastName": "Ali"
  }'

Using the Token

Once authenticated, include the token in subsequent requests: 
curl -H "Authorization: Bearer 1|abc123xyz..." \
  https://front.rmz.gg/api/customer/profile

Guest Cart

Unauthenticated users can still manage a cart using the X-Cart-Token header. See Guest Cart for details.

Embed API — Embed Key

The Embed API uses an X-Embed-Key header for authentication. The embed key is tied to a specific product and store. 
X-Embed-Key: YOUR_EMBED_KEY

License API — No Auth Header

The License Verification API does not use authentication headers. Instead, the product_id in the request body identifies the product, and the license_key is the credential being verified. 
curl -X POST "https://license.rmz.gg/verify" \
  -H "Content-Type: application/json" \
  -d '{
    "product_id": 123,
    "license_key": "MYAPP-XXXX-XXXX-XXXX-XXXX",
    "hwid": "machine-hardware-id"
  }'

Supported Country Codes

OTP authentication in the Storefront API supports these country codes:
CodeCountry
966Saudi Arabia
973Bahrain
971UAE
974Qatar
968Oman
965Kuwait