Skip to main content
Version: 1.0.0

Corp-Ops Public API

These endpoints are the public surface of Corp-Ops: they are intentionally unauthenticated for read paths and CORS-allowed from any origin so a merchant's storefront can call them directly.

Conventions:

  • All read endpoints emit Cache-Control: public, max-age=300.
  • All endpoints accept and require a shop parameter (the merchant's *.myshopify.com domain).
  • PII never leaves the boundary except when it belongs to the calling customer (referral page).
  • Mutations are idempotent on natural keys.
  • Rate-limited per-shop. Breach returns 429 with Retry-After.

Auth model:

  • Read endpoints: none required.
  • Storefront-account-gated mutations (review submit, etc.): use the Shopify Customer Account session.
  • WhatsApp opt-in: posts via the Shopify App Proxy of /api/whatsapp-engine, which validates the proxy signature.

Contact

Corp-Ops Support: support@corp-ops.io

URL: https://docs.corp-ops.io

License

Last updated on by chandela