The API is implemented as REST, requests and responses are sent in JSON format. The API is only an interface for reading and updating data. The URL calls, which are called endpoints, which are used for both read and write requests, can be found in documentation. In addition, an Event notification service (webhooks) is available, where we will call the entered URL after registering the webhook, for example after you have created a new order. The API is not intended for editing the e-shop frontend, but certain modifications can be made using HTML codes inserted in templates.
The API is not freely accessible, it is currently available for developers of so-called addons, which are published at the marketplace after their completion https://doplnky.shoptet.cz. From there, any e-shop can install them (except the trial version). Presently, not every e-shop operator can use the API, or partners that would develop only single e-shop.
The installation will create a unique API key that uniquely identifies the e-shop and addon. It is used to obtain short-term access API tokens that need to be listed as the authentication in the HTTP header of the API call.
addons (API-based software) must run and store data on the developer-partner infrastructure. Shoptet does not provide hosting or data storage for the addon. The developer has a free hand in the choice of technology.
The API call addon can access all e-shop data, including for example orders, prices, or customer data. Therefore, each addon must express, what data it uses and only the corresponding calls can then be obtained for that API key. The list of provided data is approved by Shoptet before posting the addon on the [addon] website (https://doplnky.shoptet.cz) and it can be reviewed by any user (e-shop operator) prior to installation.
If the new version of the addon requires additional data, the scope of the permission needs to be extended, approved by Shoptet, and then by the user. The user is notified about the need for new permissions in administration, and then navigated towards approval.
To develop a new addon, the partner has a test e-shop available, which can serve for development and testing. The approved partner has an “API Partner” section, in which the new addon can be entered, required endpoints defined, and get a temporary test API access token to be connected to its partner e-shop. With this, the developer can call API endpoints (which provides the data from the partner test e-shop).
Sooner or later, it is necessary to create an installation routine that is used when someone orders the addon. To develop the installation routine, you can simulate the installation of the addon. By installing the addon their e-shop, the partner receives a permanently valid API key (OAuth access token), which is used to request the short-term API tokens and to call API (which provides data from its test e-shop).
Then it is possible to call the API and program the addon activity. After the addon is debugged and approved by Shoptet, it is then made available for installation at addon and all e-shops.
Working with the addon has basically two steps: Installation and normal operation
Under Installation, the partner’s installation URL is called to obtain the API key (OAuth access token) and to determine the identity of the e-shop that installs the addon. Both must be saved securely.
At the same time, it is information about a new client to whom you may want to send a welcome e-mail, create a profile, download basic data, access various settings, and so on.
The short-term API access token is used to call the individual API endpoints. This is obtained from the OAuth server; to do so, you must be authorized by the OAuth access token obtained in the first step (of the installation). The API access token is therefore again valid for one addon and one e-shop. It has 30 minutes expiration time, then a new one has to be requested. It is a good idea to save it, but this is not as critical as in point 1, because its validity is time limited. You can either monitor its validity and request a new one after it has expired, or use it until our API returns HTTP code 401 with the message “invalid-token”, then request a new token, and repeat the call.