Setting up an Application


Creating an Application

To use the Instantcart API, you need to create a Partner account.  This can be done simply by regsitering with us or creating a trial store.  Once you have created an account, navigate to the Create an APP page and complete the basic details for your application.  At this stage, dont worry about pricing and other details - we will collect these from you during the APP submission stage.

Please note at this stage, we can only allow the creation of External APPs.  Native App support will not be available until our next control panel release.

API Basics

The Instantcart API uses HTTP basic auth for authenticating API Calls which appear as follows:-

If a call is made without a valid api key and password, an unauthorised HTTP header is returned. Each call is made via an authorised Instantcart App.

Testing the API

You can make test calls directly to the API using by selecting the the Authentication option, and then adding your HTTP Basic authentication header username and password into the boxes provided.  Please be sure to remove the apiKey and password from the above URL when using Hurl, and simply query the clean URL.  Hurl will build the authentication headers for you.

Setting up an Application

Each API call has to be made via an authorised Instantcart Application. Once your application has been authorised by us, you will receive an APP key, and a secret key for authenticating requests. Remember to keep the secret key secure and to never share it with anyone - this could put your users data at risk.

Lets show you how the process works.

1. A user heads over to your application address, ie On their first visit they the application checks if they are logged in - If not, the user is sent to their controlpanel to login and authorise the application. The authorisation is done silently if the user has already installed the application, otherwise they will be presented with an Installation popup modal asking if they wish to grant access to their store via the application.


2. On successful login to Instantcart, the user is re-directed back to the application via the Return Url, specified by the applications owner. Instantcart appends a set of url variables to the return url so the application can authenticate that the request is genuine.


3. Application can then authenticate that the request is genuine.

Heres an example in PHP. We check that the signiture above, that was passed from Instantcart is correct by creating an MD5 hash by concatenating the return url parameters in the following order:

md5($this->secret . 'shop=' . $this->shop_domain . 't=' . $this->token . 'timestamp=' . $this->timestamp)

In more detail, heres a PHP function that compared the input signiture is the same as the signiture we have using our secret key.

    public function doSignitureCheck($instantcartSig) {
        return (md5($this->secret . 'shop=' . $this->shop_domain . 't=' . $this->token . 'timestamp=' . $this->timestamp) === $instantcartSig);

4. Application then creates an access password by concatenating the received token to the application secret key as follows.

$password = md5($this->secret . $this->token);

5. The application can now access data for the authorised Instantcart store by issuing an API call as follows. Remember to store the access password in a safe place so you can make repeat calls for the life of the access password (currently 1 hour):-
Have more questions? Submit a request


Powered by Zendesk