Developers: Overview
The Developers settings section is where merchants configure integration credentials and app connectivity.
Tabs:
System KeyCredentialsOAuth AppsWebhooksEventsLogs
Which Credential To Use
| Credential | Token Prefix | Use It When | Never Use It In |
|---|---|---|---|
| System API key | eshopos_test_ck_... / eshopos_live_ck_... | Your own trusted backend services and internal automations need broad API access | Browser, mobile app, client-side code |
| Secret key | eshopos_test_sk_... / eshopos_live_sk_... | A developer's server needs write access to public API resources | Browser, mobile app, client-side code |
| Publishable key | eshopos_test_pk_... / eshopos_live_pk_... | Frontend code needs safe read-only access | Server-side privileged write flows |
| OAuth access token | eshopos_oat_... | A third-party app installed by merchant via OAuth calls APIs for that merchant | Storing permanently as a static key |
What Developers Build On
Developers integrate against:
- Public integration API:
/api/public/v1/* - OAuth protocol endpoints:
/api/public/v1/oauth/*
Private management routes are dashboard/backoffice-only and not part of this public integration surface.
Authentication Format
All credentials are sent as either:
Authorization: Bearer <token>(recommended)X-API-Key: <token>
Bearer token is just the transport format. It is not a separate product.
Mode Rules (test vs live)
Modes are strictly separated:
- Token prefix already encodes mode (
testorlive) - You can set request mode with
X-EshopOS-Mode: test|live - If request mode and token mode differ, request is rejected with mode mismatch
Working Request Template
BASE_URL="http://localhost:8080"
TOKEN="eshopos_test_ck_replace_me"
curl -sS "$BASE_URL/api/public/v1/payments/supported-countries" \
-H "Authorization: Bearer $TOKEN" \
-H "X-EshopOS-Mode: test"