Skip to main content
The RMZ Storefront API lets you build fully custom storefronts that connect to any RMZ store. It provides endpoints for browsing products, managing carts, processing checkouts, handling customer authentication, and more.

Base URL

https://front.rmz.gg/api
The store is identified automatically by the Origin or Referer header of your request. Your custom storefront domain must be configured in the store’s dashboard for requests to be accepted.

Authentication Model

The Storefront API uses two authentication mechanisms:

1. Customer Authentication (Bearer Token)

Customers authenticate via an OTP (one-time password) flow. After verifying their phone number or email, they receive a Bearer token used for authenticated endpoints (orders, profile, wishlist, courses, checkout). 
Authorization: Bearer 1|abc123xyz...

2. Guest Cart Token

Unauthenticated visitors can still browse products and manage a cart using the X-Cart-Token header. A cart token is issued when items are first added to the cart and is also returned upon customer authentication. 
X-Cart-Token: cart_abc123

3. Management Secret Key

The Management API endpoints use a secret key for server-to-server authentication. This key is configured in the store dashboard. 
X-Secret-Key: sk_live_...

4. Custom Storefront Token

Store owners can generate custom API tokens for external developers building storefronts. Tokens are scoped by domain, environment, and permissions. 
X-Custom-Token: cst_42_abc123...

Product Types

RMZ stores can sell five types of products:
TypeDescription
productStandard digital product
codeDigital codes or keys (game keys, license keys, gift cards)
serviceService-based product
subscriptionRecurring subscription with variants and billing periods
courseOnline course with modules and progress tracking

Response Format

All responses follow a consistent JSON structure.

Success Response

{
  "success": true,
  "data": { },
  "message": "Optional success message"
}

Paginated Response

{
  "success": true,
  "data": [],
  "pagination": {
    "current_page": 1,
    "last_page": 10,
    "per_page": 12,
    "total": 120,
    "from": 1,
    "to": 12,
    "has_more_pages": true,
    "next_page_url": "https://front.rmz.gg/api/products?page=2",
    "prev_page_url": null
  }
}

Error Response

{
  "success": false,
  "message": "Error description",
  "data": { }
}

Rate Limits

EndpointLimit
General API60 requests per minute
Auth Start50 sessions per day per IP
Phone Auth10 attempts per day per phone number
OTP Verification5 attempts per minute per IP
OTP Resend3 resends per 10 minutes
Management APILower rate limit (separate throttle group)
Analytics Collection120 events per minute per IP (separate from API rate limit)
When a rate limit is exceeded, you receive a 429 Too Many Requests response.

Error Codes

HTTP CodeDescription
200Success
201Created
400Bad Request / Validation Error
401Unauthorized (missing or invalid token)
403Forbidden (access denied)
404Not Found
409Conflict (duplicate resource)
422Validation Error
429Too Many Requests (rate limit exceeded)
500Internal Server Error

Supported Country Codes

CodeCountry
966Saudi Arabia
973Bahrain
971UAE
974Qatar
968Oman
965Kuwait

Caching

Responses include cache headers to help optimize your storefront:
  • X-Cache-Status: HIT or MISS indicating whether the response was served from cache
  • Cache-Control: public, max-age=N with appropriate TTL per resource type
ResourceCache TTL
Store info~2 minutes
Categories~30 minutes
Products~3 minutes
Product details~3 minutes
Reviews~5 minutes

CORS

The API supports cross-origin requests. Your storefront domain must be registered in the store’s settings for CORS to allow the request. The Origin header is used to identify the store.