Register an app
Create your app with a single authenticated request. Authentication uses your Vambe API key
in the x-api-key header.
curl --request POST 'https://api.vambe.me/api/ecommerce-app' \
--header 'x-api-key: your_api_key_here' \
--header 'Content-Type: application/json' \
--data '{
"name": "My Ecommerce X",
"description": "Connects My Ecommerce X stores to Vambe.",
"logo_url": "https://cdn.myecommerce.com/vambe/logo.png",
"website_url": "https://myecommerce.com",
"developer_name": "My Ecommerce X Inc.",
"contact_email": "integrations@myecommerce.com",
"contact_phone": "+56912345678",
"oauth": {
"authorize_url": "https://myecommerce.com/oauth/authorize",
"token_url": "https://myecommerce.com/oauth/token",
"client_id": "vambe-client-id",
"client_secret": "vambe-client-secret",
"scopes": ["read_orders", "read_products"],
"account_info_url": "https://api.myecommerce.com/vambe/account"
},
"capabilities": {
"inbound_events": ["order", "checkout", "fulfillment", "product"],
"outbound": {
"order_get": { "url": "https://api.myecommerce.com/vambe/orders" },
"stock_get": { "url": "https://api.myecommerce.com/vambe/stock" },
"checkout_create": { "url": "https://api.myecommerce.com/vambe/checkout" }
}
}
}'
signing_secret:
{
"id": "f1e2d3c4-β¦",
"slug": "my-ecommerce-x",
"status": "draft",
"signing_secret": "9b1fβ¦(64 hex chars)β¦",
"...": "..."
}
The signing_secret is returned only on creation (and on rotation). Store it securely β
you need it to sign every inbound webhook. You can rotate it later, but it is never shown
again on read.
Display name shown to merchants.
Stable identifier. Auto-derived from name if omitted; must be unique.
Short description shown in the connect UI.
Public URL of your app logo.
Your company/organization name.
Where Vambe redirects the merchant to approve scopes.
Where Vambe exchanges the authorization code for tokens.
The client id you issued for Vambe.
The client secret you issued for Vambe. Stored encrypted at rest.
Scopes requested during authorization.
Optional. Lets Vambe fetch the store identity after connection β required for multi-store apps.
Capabilities
capabilities.inbound_events
Which canonical events you commit to pushing: any of order, checkout, fulfillment,
product. See Inbound Webhooks. URLs Vambe calls on demand. Each entry is { "url": "https://..." }. Supported keys:
order_get, stock_get, checkout_create. If you omit a key, Vambe simply wonβt offer
that assistant tool for your app. See Outbound Capabilities. Manage and submit
Iterate (draft)
Update the app while it is draft or rejected:curl --request PATCH 'https://api.vambe.me/api/ecommerce-app/{id}' \
--header 'x-api-key: your_api_key_here' \
--header 'Content-Type: application/json' \
--data '{ "description": "Updated copy" }'
Submit for review
curl --request POST 'https://api.vambe.me/api/ecommerce-app/{id}/submit' \
--header 'x-api-key: your_api_key_here'
pending_review and notifies the Vambe team.Get approved
Once Vambe approves it, the app becomes approved and is installable by any account.
Until then it is visible only to your account.
Other endpoints
| Method | Path | Purpose |
|---|
GET | /api/ecommerce-app | List your apps. |
GET | /api/ecommerce-app/{id} | App detail (no secret). |
POST | /api/ecommerce-app/{id}/rotate-secret | Generate a new signing secret. |
DELETE | /api/ecommerce-app/{id} | Delete the app. |
GET | /api/ecommerce-app/available | Apps installable by the current account. |
Editing an approved app is blocked β only draft/rejected apps are editable. Editing a
rejected app moves it back to draft so you can resubmit.
