Management API
Programmatically manage your store: create packages, manage coupons, query orders, and more.
The Store Management API is a Pro plan feature. API key creation and usage requires an active Pro subscription.
Base URL
https://api.fluxstore.net/api/v1/The store is determined automatically from your API key, so no store ID is needed in the URL.
Authentication
All Store Management API endpoints require an API key passed in the X-Api-Key header:
curl -H "X-Api-Key: flx_XXXXXXXX_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" \
https://api.fluxstore.net/api/v1/packagesGetting your API key
- Navigate to Dashboard > Configuration > API Keys
- Click Create API Key
- Enter a name, choose permissions, and optionally set an expiration date
- Copy the key immediately: it is shown once and cannot be recovered
Key format
flx_{storeId}_{secret}- The
storeIdis embedded in the key for efficient lookup - Only the secret portion is hashed and stored
- The full key is displayed exactly once at creation time
Key management
Manage keys via the dashboard or the management API:
| Action | Dashboard | API |
|---|---|---|
| Create key | Configuration > API Keys > Create | POST /api/stores/{storeId}/api-keys |
| List keys | Configuration > API Keys | GET /api/stores/{storeId}/api-keys |
| Revoke key | Click Revoke on key row | DELETE /api/stores/{storeId}/api-keys/{id} |
| Regenerate key | Click Regenerate on key row | POST /api/stores/{storeId}/api-keys/{id}/regenerate |
Management API endpoints require JWT authentication and Stores:Edit permission.
Permissions
Each API key has scoped permissions. Set permissions when creating the key; they cannot be changed after creation. To change scopes, revoke the key and create a new one.
Permissions are defined as a dictionary of resource areas to permission types:
{
"Packages": ["View", "Edit", "Delete"],
"Orders": ["View"],
"Coupons": ["View", "Edit"]
}Permission areas
| Area | View | Edit | Delete | Description |
|---|---|---|---|---|
| Packages | ✓ | ✓ | ✓ | Package CRUD |
| Categories | ✓ | ✓ | ✓ | Category CRUD |
| Coupons | ✓ | ✓ | ✓ | Coupon CRUD |
| Sales | ✓ | ✓ | ✓ | Sale CRUD |
| GiftCards | ✓ | ✓ | ✓ | Gift card CRUD |
| Orders | ✓ | ✓ | Order listing + manual creation | |
| Customers | ✓ | Customer listing (read-only) | ||
| Bans | ✓ | ✓ | ✓ | Ban CRUD |
| Subscriptions | ✓ | Subscription listing (read-only) |
If a key lacks the required permission, the API returns 403 Forbidden.
Rate limiting
- 30 requests per minute per API key (fixed window)
- Rate limit headers are included on every response:
| Header | Description |
|---|---|
X-RateLimit-Limit | Maximum requests per window (30) |
X-RateLimit-Remaining | Remaining requests in current window |
X-RateLimit-Reset | Unix timestamp when the window resets |
When exceeded, the API returns 429 Too Many Requests with a Retry-After header.
Response format
All endpoints return a standard response wrapper:
{
"success": true,
"data": { ... },
"message": null,
"errors": []
}Error responses:
{
"success": false,
"data": null,
"message": "Error description",
"errors": ["Detail 1", "Detail 2"]
}Errors
| HTTP Status | Meaning |
|---|---|
| 200 | Success |
| 400 | Bad request: validation error or malformed input |
| 401 | Authentication failed: missing, invalid, or expired API key |
| 403 | Forbidden: insufficient permissions or Pro subscription lapsed |
| 404 | Resource not found |
| 429 | Rate limit exceeded: wait and retry |
Security
- Key secrets are hashed. Secrets are never stored in plain text and cannot be recovered.
- Pro gating. Creating and using API keys requires an active Pro subscription. If your subscription lapses, existing keys return
403until renewed. - Rate limiting. 30 requests per minute per key.
- Input validation. All request fields are validated server-side.
- Data privacy. Gift card codes are never exposed. Customer emails are masked.
- Permissions are immutable. To change scopes, revoke the key and create a new one.