API reference
The Storlaunch API is a REST API that uses JSON for both requests and responses. It's the same API our portal and SDKs use; if you want to integrate Storlaunch directly without an SDK, this section covers everything you need.
Base URL
https://storlaunch.forjio.com/api/v1
The same base URL handles both test and live API keys. The key itself determines the environment.
For staging:
https://staging-storlaunch.forjio.com/api/v1
You can get staging keys from us — email hello@storlaunch.forjio.com.
Authentication
Every request must include a bearer API key. The Storlaunch API uses a simple Authorization: Bearer scheme — no signing, no timestamping.
Authorization: Bearer sk_live_xxxxxxxxxxxxxxxxxxxxxxxx
API keys are prefixed by environment and access level:
| Prefix | Environment | Access |
|---|---|---|
pk_test_… |
Test | Read-only public data (safe in frontend code) |
pk_live_… |
Live | Read-only public data (safe in frontend code) |
sk_test_… |
Test | Full account access (server-only) |
sk_live_… |
Live | Full account access (server-only) |
See Authentication for the full key lifecycle and security guidance.
Storlaunch is not Plugipay. If you've worked with Plugipay's API, note that Storlaunch uses plain bearer tokens, not HMAC request signing. Storlaunch consumes Plugipay under the hood (using HMAC), but exposes a simpler scheme to its own integrators.
Response envelope
Every successful API response is wrapped in a uniform envelope (provided by @forjio/sdk/http):
{
"data": { /* the response payload */ },
"error": null,
"meta": {
"requestId": "req_01H...",
"timestamp": "2026-05-12T10:42:00Z"
}
}
List endpoints have a paginated variant:
{
"data": [ /* items */ ],
"error": null,
"meta": {
"requestId": "req_01H...",
"timestamp": "2026-05-12T10:42:00Z",
"page": {
"limit": 50,
"hasMore": true,
"nextCursor": "cur_xxx"
}
}
}
Errors keep the envelope shape but set error:
{
"data": null,
"error": {
"code": "VALIDATION_ERROR",
"message": "name is required",
"field": "name"
},
"meta": { "requestId": "...", "timestamp": "..." }
}
Pagination
List endpoints use cursor-based pagination:
GET /api/v1/storefront/products?limit=50
Response includes meta.page.nextCursor. To fetch the next page:
GET /api/v1/storefront/products?limit=50&cursor=cur_xxx
When hasMore is false, you've reached the end.
Idempotency
Mutating endpoints (POST, PUT, PATCH) accept an Idempotency-Key header. If you send the same key twice within 24 hours, you get back the same response — no duplicate operation.
curl -X POST https://storlaunch.forjio.com/api/v1/storefront/products \
-H "Authorization: Bearer sk_test_xxx" \
-H "Idempotency-Key: my-unique-attempt-id-001" \
-H "Content-Type: application/json" \
...
Use idempotency keys for any operation that creates a durable record: products, orders, fulfilments.
Rate limits
Default limits per workspace:
| Endpoint class | Limit |
|---|---|
| Read (GET) | 100 req/sec |
| Write (POST/PUT/PATCH/DELETE) | 20 req/sec |
| Webhook delivery (to you) | No limit, but exponential backoff on failures |
Limits are returned in response headers:
X-RateLimit-LimitX-RateLimit-RemainingX-RateLimit-Reset
On exceeding the limit you get 429 Too Many Requests with a Retry-After header.
Resource map
The API is organized by module. Each resource has a CRUD-like surface:
| Module | Path prefix | Covers |
|---|---|---|
| Storefront | /api/v1/storefront/products |
Products, variants, files |
| Storefront | /api/v1/storefront/licenses |
License key generation |
| Storefront | /api/v1/storefront/deliveries |
Digital delivery records |
| Storefront | /api/v1/storefront/public |
Public catalog (unauthenticated reads) |
| Manual orders | /api/v1/manual-orders |
Phone/DM orders |
| Inventory | /api/v1/inventory |
Stock levels and adjustments |
| Shipping | /api/v1/shipping |
Zones, rates, labels |
| Discount codes | /api/v1/discount-codes |
Discount creation and validation |
| Customers (buyers) | /api/v1/account/... |
Buyer records |
| Account / settings | /api/v1/account |
Workspace settings |
| Domains | /api/v1/account/domains |
Custom storefront domains |
| API keys | /api/v1/account/api-keys |
Key management |
| Audit log | /api/v1/account/audit-log |
Activity history |
| Analytics | /api/v1/analytics |
Storefront and order metrics |
| Reports | /api/v1/reports |
Finance reports, exports |
| Payouts | /api/v1/payouts |
Manual payouts (Xendit disbursement upgrade path) |
| Ledger | /api/v1/ledger |
Per-order financial ledger |
| Modules | /api/v1/modules |
Toggle paid modules per workspace |
| Onboarding | /api/v1/onboarding |
Initial setup state |
| Payments (proxy) | /api/v1/payment/... |
Plugipay surface, scoped to this workspace |
| Marketing (proxy) | /api/v1/account/marketing/... |
Ripllo surface, scoped to this workspace |
The Plugipay-backed /api/v1/payment/* and Ripllo-backed /api/v1/account/marketing/* proxies expose those products' APIs under Storlaunch authentication. You don't mint Plugipay or Ripllo keys directly; your Storlaunch key is enough.
Webhooks
Storlaunch sends webhook events for state changes you care about: order.created, order.paid, order.fulfilled, product.updated, and so on.
Events are signed with HMAC-SHA256; you verify the signature before trusting the payload. The signing scheme uses the X-Storlaunch-Signature header.
A full webhook events catalog and verification recipe will land at API → Webhooks. Meanwhile the SDK overview shows a verifyWebhook helper that hides the details.
OpenAPI spec
A machine-readable OpenAPI 3.0 spec is at storlaunch.forjio.com/api/v1/openapi.json. You can use it with any OpenAPI tooling (Postman, openapi-generator, etc.) to generate clients in languages we don't ship SDKs for.
Next
- Authentication — the full bearer-key recipe with worked examples.
- SDKs — the per-language guides.
- Concepts — the data model behind every endpoint.