Skip to main content

API reference

Four API surfaces

SurfacePathAuthUse case
v1 admin API/api/v1/...Bearer tokenServer-to-server programmatic
Public endpoints/api/public/...CORS or pk_*Storefront-side fetches
Inbound webhooksvariousHMAC verifiedShopify / WA / marketplace events
Outbound webhooks(your URL)HMAC signedNotify your systems

Each linked from intro and detailed on its own page.

Conventions

Base URL

https://api.sumeru.systems

EU customers can opt for eu.api.sumeru.systems (Enterprise + data-residency requirement).

Versioning

The v1 admin API is semver versioned. Breaking changes get a major bump (v2) with 12-month deprecation of v1.

Public endpoints + webhooks: backwards-compatible additions ship continuously; breaking changes follow same v1→v2 model.

HTTP methods

MethodUsed for
GETRead
POSTCreate or trigger action
PATCHPartial update
DELETERemove
PUTFull replace (rare; used only where relevant)

Pagination

Cursor-based; consistent across endpoints:

GET /api/v1/customers?limit=50&cursor=eyJpZCI6ImN1c19hYmMxMjMifQ==

Response includes pagination:

{
  "data": [ ... ],
  "pagination": {
    "next_cursor": "eyJpZCI6ImN1c19kZWY0NTYifQ==",
    "has_next": true
  }
}

Filtering + sorting

GET /api/v1/customers?filter[lifecycle_stage]=loyal&sort=-last_order_at

- prefix = descending. Filter syntax: filter[field]=value. Multiple filters AND together.

Sparse fieldsets

GET /api/v1/customers?fields=id,email,total_spent

Only requested fields returned (smaller payload, faster).

Includes (for relations)

GET /api/v1/customers/cus_abc123?include=orders,attributions

Bundles related objects into the response.

Error model

Uniform across all surfaces. Errors are JSON; HTTP status codes follow REST conventions:

{
  "error": {
    "code": "validation_failed",
    "message": "email format invalid",
    "details": {
      "field": "email",
      "value": "not-an-email"
    },
    "request_id": "req_abc123"
  }
}
CodeHTTPMeaning
unauthenticated401No or invalid token
forbidden403Token lacks scope
not_found404Resource doesn't exist
validation_failed422Bad request body
rate_limited429Too many requests
idempotency_conflict409Same key, different body
internal_error500Sumeru-side issue
service_unavailable503Maintenance / overload

request_id should be cited when contacting support.

Idempotency

POST + PATCH endpoints accept Idempotency-Key header:

POST /api/v1/campaigns HTTP/1.1
Authorization: Bearer copt_...
Idempotency-Key: my-key-2026-05-10-launch-spring

{ ... }
  • Same key + same body in 24h → returns original response (safe to retry)
  • Same key + different body in 24h → 409 idempotency_conflict
  • Keys auto-expire after 24h

Use UUIDs or your own ULIDs for keys.

Rate limits

See Rate limits for full table. Headers on every response:

X-RateLimit-Limit: 600
X-RateLimit-Remaining: 421
X-RateLimit-Reset: 1715346000

When limited, response includes Retry-After header.

Stability guarantees per endpoint

Each endpoint declares stability:

StabilityMeaning
stableProduction-ready, semver-versioned
betaFunctionally complete; may have minor changes
experimentalSubject to breaking changes; not for prod
deprecatedWill be removed; alternative listed

Header on every response:

X-Sumeru-Stability: stable

Specifications

OpenAPI 3.1 specs available:

  • v1 admin API: https://api.sumeru.systems/openapi/v1-admin.yaml
  • Public endpoints: https://api.sumeru.systems/openapi/public.yaml

Both rendered as full reference at /developers/api/v1-admin/ and /developers/api/public-api/ (auto-generated from spec).

SDKs

Maintained:

LanguageRepo
Node.js / TypeScriptnpm install @sumeru/sdk
Pythonpip install sumeru
PHPcomposer require sumeru/sdk
Rubygem install sumeru_es
Gogo get github.com/sumeru/sdk-go

Each SDK wraps the v1 admin API with type-safe methods + auto-retry + idempotency.

See also