Skip to main content
The SDK uses a layered authentication model. Public endpoints only need a publicKey. Authenticated customer endpoints need a Bearer token. Server-side operations use HMAC-SHA256 signatures generated from a secretKey.

Authentication Layers

1. Public Key (client-side)

Every request includes an X-Public-Key header that identifies the store. This is all you need for public endpoints like product listing, store info, and cart management.
Headers sent automatically:

2. HMAC-SHA256 Signatures (server-side)

When a secretKey is provided, the SDK generates an HMAC-SHA256 signature for every request. This is required for server-side operations and the Management API.
The signature is computed over a payload that includes:
Headers sent automatically:
The SDK uses constant-time string comparison when verifying signatures to prevent timing attacks. Timestamps are validated within a 5-minute tolerance window to prevent replay attacks.

3. Bearer Token (customer authentication)

After a customer logs in via the OTP flow, you receive a Bearer token. Set it on the SDK instance to unlock authenticated endpoints (orders, wishlist, profile, courses):
To log out and clear the token:

4. Cart Token (guest sessions)

Unauthenticated visitors get a cart token when they first interact with the cart. The SDK manages this automatically — cart tokens are extracted from API responses and included in subsequent requests via the X-Cart-Token header.

Security Best Practices

Separate client and server configs

The SDK warns in the console if it detects a secretKey in a browser environment. This is a security risk — secret keys must only exist on the server.

Environment variables

HTTPS only

Always use HTTPS URLs in production. The SDK does not enforce this, but transmitting keys over HTTP is insecure.

Data Sanitization

The SDK automatically removes sensitive fields from API responses on the client side. Fields like password, secret, api_key, private_key, and webhook_secret are stripped. Legitimate tokens such as session_token, access_token, cart_token, and token are preserved.

Advanced: Direct Security Manager

For custom integrations, you can use the SecurityManager and UniversalHttpClient directly: