Basic principles

How to call API

API supports communication in JSON format. The URL for calling API requests is https://api.myshoptet.com. The API calls

(endpoints and message formats) are common for private as well as addons access, it however uses different authentication

and authorization principles.

For Addons

API is made to create the supplements for the Shoptet system and uses OAuth2 authorization principles.

To access the API it is necessary to implement a web service at your side, which will communicate with our OAuth server.

In your e-shop administration, which you are using to work with our API, you must search in the API Partner section for the Access to API tab.

Here, you will find your clientID and addresses, from where you can call our OAuth server.

The work with API begins with e-shop addon installation. (The installation process can be tested in the addon detail in the Users section, where you can cause the installation for your e-shop.)

In your addon detail, in the Settings section, enter URL to gain a OAuth code. The URL must be linked to your server, where the script is prepared, which is able to gain an OAuth access token.

At this address, you will receive the HTTP request with a GET parameter code, when installing the addon, with unique value (a 255 character long string).

The code provided only has short-term validity and can be used only once. With this code, request our OAuth server to provide an OAuth access token.

Such a request shall follow within the same script that received the code.

Do not put off gaining the OAuth access token for a later time, and do not reply to our request with a 200 OK status, until you gain the OAuth access token.

The address for you to call, and an example of implementation, can be found in e-shop administration in the Access to API section.

As a response you will obtain a JSON with your OAuth access token. Save this token securely. Never send this token to the client computer, and use it only

for communication between the servers and for gaining the temporary token for access to API.

If you have successfully received an OAuth access token, your script must end with the HTTP status code “200”.

Now you have your OAuth access token, which links your addon with a specific e-shop, perhaps you would like to communicate with the e-shop via API.

From your server, call https://<eshop-address.tld>/action/ApiOAuthServer/getAccessToken address with HTTP header Authorization: Bearer <OAuth access token>.

As the reply, you will receive a JSON containing an API access token value and the token expiration time value. An example of calling can be found in e-shop administration in the Access to API section.

It is possible to request a maximum of 5 valid tokens.

The API access token will enable you to call an individual URL of our API, for example https://api.myshoptet.com/api/eshop. Send the API access token in each request in the HTTP headerShoptet-Access-Token.

You can have several valid API access tokens available at any one time. Should the validity of the API access token expire, you will receive a HTTP status code 401 and message about token expiration.

If your token does not have the access right for a specific endpoint, you will obtain a reply with HTTP status code 403 Forbidden.

For private API access (Premium)

You can create API access tokens simply in the eshop administration. Send them in the request header Shoptet-Private-API-Token.

You can automatically access all API endpoints.

Rate limiting

Rate limiting is at the level of server overload protection (DDoS), whereas the quantity of queries or total volume of data are unlimited.

These are therefore the limits of the maximum number of coincident active connections. A maximum of 50 from a single IP address, and a maximum of 3 connections for a single token. If the limit is exceeded, the HTTP code 429 is returned. See also Nginx configuration:

Some URLs, for example for bulk operations, can have their own specific limits, which are mentioned in this documentation.

Leaky bucket

We have also prepared more detailed rules for checking the efficiency of calling your integrations using a leaky bucket algorithm.

We inform you about reaching the limits via headers X-RateLimit-Bucket-Filling (in every response), and Retry-After (only if bucket is fulfilled), e.g.

For more information, visit API Rate limiter.

Locks

Write endpoints (DELETE, PATCH, POST, PUT methods) can take longer and may be prone to two concurrent matching requests.

To avoid problems with retrying identical write requests, we have added the locking function of these requests to the application.

If you execute the same request two times in quick succession, the second request receives error response with a 423 code.

The lock is only valid for a specific called URL, for the duration of the request processing, but no longer than 5 seconds.

Server response format

All JSON responses from the server have the same format, as a base.

If any of the sections is not present in the response, a null value is then received.

Example of call for addons:

Example of call for private API access:

Example of response:

The basic structure of the response in the event of an error is as follows:

Most of the endpoints are synchronous, i.e. your answer is provided immediately and contains the data requested. There

are however some endpoints, where either the request or the response processing takes longer time. These are implemented as

Asynchronous requests. Your request will be queued and you

receive only job identification in the response. You will be notified using a

webhook when the job is completed and your results

downloadable. Be aware, that registration of webhook job:finished is required to be able to run asynchronous requests.

If webhook is not registered, you will receive an error response with HTTP status code 403 and job won't be queued.

Webhook job:finished is also emitted when the job is failed so there is need to check the Detail of job to get the result of the job. If an error occurs during an asynchronous request, the job is automatically marked as failed 3 hours after its creation, and in this case, the job:finished webhook is not emitted.

Some attributes may be added to the new API version, or the sequence of attributes can be changed.

Your software, therefore, shall not rely on either of these.

If some attributes are renamed or removed, you will be informed in an additional

header - see also API versioning and Deprecated header + Sunset.

Deprecated header + Sunset

If you are calling some endpoint in a version that will not be supported in the future, you will receive a response with the header

X-Shoptet-Deprecated. If you detect this header within the response and its presence is logged,

you should be aware of the support termination for a specific endpoint in advance and thus have enough time for correction.

Furthermore, you shall also receive the response with aSunset header with the date when the support for this endpoint is to be terminated.

Status codes

When processing the response, the client shall first detect, what response status code was received.

For GET requests for responses with 200 code, it is not necessary to explore the errors part of the response.

For PATCH/PUT requests, which can process more records at the same time and some records

are not processed successfully, these end with a 200 response code and the errors key contains info on skipped rows.

The unknown record is returned with a 404 code, etc. These responses have the error field filled in, where you can

find detailed info about the error.

The following errors might be expected:

• 400 - Some of the validations on item level have failed. There is no reason to retry, it will fail always.

• 401 - Invalid token or the token has expired (for addons access tokens). You have to ask for another one.

• 403 - Forbidden. The token has no rights to the endpoint called. The endpoints must be allowed for an addon and the eshop must have approved them. Valid for addons access tokens, private tokens can always access all endpoints. Can be also returned when required module for request is missing.

• 404 - Either the endpoint is wrong; or most commonly, an entity identifier, which is part of the URL, does not exist.

• 409 - Conflict - the action could not be completed for some consistency rules, such as duplicate data or relation, which would be broken.

• 413 - Payload too large - update requests can sometimes contain multiple entities to be amended. There is however a limit (varying for each request), how many can be specified within one request. If you breach the limit, you will get this error and nothing will be updated.

• 422 - Unprocessable entity - we were not able to parse the request - it does not match the expected format. Something is wrong with the request as whole, it might not be a correct JSON or it does not match the expected JSON schema. There is no reason to retry, it will always fail.

• 423 - Locked - for update and some read request we apply locks, usually on an URL level, which should avoid consistency problems possibly occuring from parallel updates. See chapter about locks. Retry later, try to avoid parallel update requests.

• 500 - General server error. Yes, this might happen to our software, too. Most commonly this is a temporary database issue and it might (but might not), work a few minutes later. We monitor all such errors and we try to analyze and fix them.

• 503 - System maintenance. Most commonly we move a database to another database cluster or a database migration is pending and it will be available in a few minutes. Please try later.

Paging

Some endpoints can return larger quantity of records. Such endpoints do not return the entire result, but support pagination of results.

You can page using page (int) and itemsPerPage (int) parameters. The first page has number 1. If you require a different

quantity of items per page, use the itemsPerPage parameter. CAUTION: the number of items per page can be decreased only, the default

value is maximum. The default value can be different for each endpoint.

When paging, check the total number of items, if not altered (totalCount), then the

items on pages could be shifted and some of them could be missed or processed twice.

Section on demand

Some endpoints return the data sections as optional, on demand. The request is done by giving the section name in the

include parameter. Part of the data is returned each time, the other section only on demand. This makes the responses smaller for those, who do not need the data

, thus saving the volume of data transmitted and shortening the time to process the request.

For example, for "Eshop Info" endpoint, you will gain basic info when simply calling [GET] /api/eshop, but payment

methods and transport options only when using [GET] /api/eshop?include=paymentMethods,shippingMethods.

More values are separated by a comma, no sequencing, no upper/lower case differentiation. Other blocks are available on demand

and each endpoint informs you which identifier to request.

Translations

For proper functionality in translations you will have to get module Foreign languages (Cizí jazyky) activated on customer e-shop. Multi-language support in API is handled by query parameter language, which can be used in whole API. If parameter is not set, default shop language is used.

Read endpoints (HTTP verb GET) will return corresponding language version of texts where applicable.

For write endpoints, first use POST endpoint to create entity and then use PATCH endpoint with corresponding language query parameter to set language fields.

Please note that in some endpoints (typically surcharge/filtering/variant parameters) you must use the identifier's currently selected language variant (which is filtered in list).

Files

For files upload, there are Files endpoints.

The file is uploaded to a temporary storage which is not accessible publicly. The file is kept there for 7 days and then deleted.

After you upload a file, you may copy it to some API entities in their endpoints - you specify filename returned in response of upload job.

Please note that currently only images (png, jpg, gif) are allowed filetypes for file upload.

Product images

Shoptet saves the product images in their original size and then prepares several sizes for standardized usage (called

image cuts). These cuts are created in advance and saved on the disk, so they are readily available. The list of cuts is

the same for each e-shop, and each e-shop can theoretically have different cut sizes. In practice, their size is given

by the template and most templates use the same sizes. The list of provided cuts is given by

the Image cuts code list.

The /api/eshop?include=imageCuts endpoint returns the imageCuts field in the response, where each cut has the actual

size defined, and the URL base path. There are two base URLs (example for classic.shoptet.cz, cut detail):

• urlPath: "https://classic.shoptet.cz/user/shop/detail/"

• cdnPath: "https://cdn-api.myshoptet.com/usr/classic.shoptet.cz/user/shop/detail/"

Use the urlPath in case you need an up-to-date image right now. Use the url for your backend processing and you

will retrieve the images only once. Images retrieved via urlPath are not cached. You can use image name or SEO version

of the image name - see below.

Use the cdnPath in case you want to use the image url on the frontend and users of your application will display it,

e.g. if you provide an alternative frontend, mobile application etc. The images are cached and provided with lower

latency. Use cdnName retrieved from the product detail endpoint (or similar) - see below.

Once you determine the URL based on the purpose and image cut size (for example detail for product detail, or related

for product preview), just append the filename you need. The filename can be retrieved from Product detail endpoint.

Although the e-shop is behind the content delivery network (Cloudflare CDN), API still returns the same domain. Whether

the e-shop is behind the Cloudflare CDN, you can find out from response headers (CDN-Loop: cloudflare header).

The product detail endpoint /api/products/{guid}?include=images returns the image field data.images[] in the same

sequence, as these are entered in administration. The file name name (for example 100.jpg) needs to be connected

to the URL cut and then you have complete path to the image of a given cut (size), for example

https://classic.shoptet.cz/user/shop/detail/100.jpg. You can also use seoName, which also contains a description

of the image - you will be redirected to the same image. The cdnName is intended for use with the cdnUrl only.

The fields look like: (excerpt)

One of the images mentioned for the product can be selected as the default image for the product variant. The selected

image is in data.variants[].image item and contains the name of the image – this can be searched for in the image

list, in the name item. Should the variant have no preselected default image, the parameter image is null.

If data.variants[].isProductDefaultImage is true, then the default product image is given. If it is false, then it is the default variant image.

The item data.items[].mainImage contains the main image in order detail - this is either a default variant image,

or, if not set (or product does not have variants), the default product image is given. The structure is the same as

in product details, but not all images are given here, only the default one – representative image. The full path can

be gained by assembling the urlPath from the e-shop info and the name or seoName items, given for the order item.

Similarly, the product list gives data.products[].mainImage, which mentions the initial image for each product.

Code lists

Image cuts

Product visibility

Product types

Types of order items

Sorting of products in category

Webhook event types

(*) These webhooks are considered beta/experimental, for more information, please visit the X-url

Mass Webhooks

These webhooks are sent when a mass change of entities is performed. The payload contains a json serialized list of IDs of changed entities.

Purpose of these webhooks is to downgrade number of requests, while i.e. administrator performs mass change of orders status at once etc.

So instead of emitting one event for every order, we emit one event for all of them.

For now, if some mass event is performed, we also sent "single" webhook event for every updated entity as usual, but it will be changed in future, so please watch release changes for more info

System Webhooks

These webhooks cannot be registered via API, they are setup in Partners' Addon administration section instead.

URL address from endpoint Eshop info

See endpoint Eshop info

List of product catalogues

Invoice Billing Methods

VAT modes

Postman collection

If you use Postman as an API platform for building and using APIs, we provide you a complex collection of Shoptet API.

You have 2 options how to import our postman collection (created from openApi schema - openapi.yaml ) into your postman client

Fork Shoptet API Collection from Shoptet Public API Workspace (recommended)

See Shoptet Public API Workspace.

Also check postman documentation for more details: Fork a collection.

Step 1: Navigate to Shoptet Public API Workspace

• Launch Postman on your desktop or in the browser.

• In the search bar in the top header of app, type Shoptet Public API and select collection from Shoptet public API Workspace.

Step 2: Locate the Shoptet API Collection

• Once inside the Shoptet Public API Workspace, go to the Collections tab.

• Find the Shoptet API collection.

Step 3: Fork the Collection

• Click on the Shoptet API collection to open it.

• In the collection view, click the Fork button in the top-right corner.

• In the fork dialog, choose a name for your forked collection.

• Select the workspace where you want to save the forked collection.

• It’s recommended to check watch original collection to get notified about changes in the original collection.

• Click Fork Collection.

Step 4: Access Your Forked Collection

• Navigate to the workspace where you saved the forked collection.

• You’ll now find the forked Shoptet API collection under the Collections tab, ready for you to use and modify.

Now you have your own copy of the Shoptet API collection! If you want to add changes from the original collection, you can do so by click on pull changes in collection settings.

Import openapi.yaml into Postman as a Collection

Step 1: Upload the openapi.yaml File

• Download the openapi.yaml file from our developers repository.

• Launch Postman on your desktop or in the browser.

• In the top-left corner of Postman, click the Import button.

• A pop-up window will appear.

• Drag and drop your openapi.yaml file into the window, or click Upload Files and browse to the file's location.

Step 2: Verify OpenAPI Import

• Postman will automatically recognize the OpenAPI schema.

• It will display a preview of the API schema.

Step 3: Import as Collection

• Once the file is recognized, click Import.

• Postman will convert the OpenAPI schema into a collection of requests, based on the defined endpoints in the openapi.yaml file.

Step 4: Access the Imported Collection

• After the import is successful, go to the Collections tab.

• You’ll find your new collection, named after the OpenAPI schema, containing all the API requests generated from the file.

Now you can explore the API endpoints and use them directly within Postman!

Collection settings

1. Click the Shoptet API collection name.

2. Go to Authorization tab.

3. Set your access token into the value of Shoptet-Access-Token key.

4. Go to Variables tab.

5. You can set baseUrl variable here.

Last changes

Last API changes are published on the [API news] page (https://developers.shoptet.com/category/api/).