publicKey. Authenticated customer endpoints need a Bearer token. Server-side operations use HMAC-SHA256 signatures generated from a secretKey.
Authentication Layers
1. Public Key (client-side)
Every request includes anX-Public-Key header that identifies the store. This is all you need for public endpoints like product listing, store info, and cart management.
2. HMAC-SHA256 Signatures (server-side)
When asecretKey is provided, the SDK generates an HMAC-SHA256 signature for every request. This is required for server-side operations and the Management API.
The SDK uses constant-time string comparison when verifying signatures to prevent timing attacks. Timestamps are validated within a 5-minute tolerance window to prevent replay attacks.
3. Bearer Token (customer authentication)
After a customer logs in via the OTP flow, you receive a Bearer token. Set it on the SDK instance to unlock authenticated endpoints (orders, wishlist, profile, courses):4. Cart Token (guest sessions)
Unauthenticated visitors get a cart token when they first interact with the cart. The SDK manages this automatically — cart tokens are extracted from API responses and included in subsequent requests via theX-Cart-Token header.
Security Best Practices
Separate client and server configs
Environment variables
HTTPS only
Always use HTTPS URLs in production. The SDK does not enforce this, but transmitting keys over HTTP is insecure.Data Sanitization
The SDK automatically removes sensitive fields from API responses on the client side. Fields likepassword, secret, api_key, private_key, and webhook_secret are stripped. Legitimate tokens such as session_token, access_token, cart_token, and token are preserved.
Advanced: Direct Security Manager
For custom integrations, you can use theSecurityManager and UniversalHttpClient directly:

