Skip to main content
This walks through the whole flow against a local dev install (localhost:4000). Adapt the host and secret for staging / production.
All snippets assume bash, curl, openssl, python3, and Node ≥ 20.

0. Sandbox credentials

Ask us for a test partner; for local development you can use the seeded acme partner whose credentials are printed at the bottom of npm run db:seed. A worked set looks like:

1. Provision a user from your backend

Expected response:
Save userId if you want to look the user up in our admin panel — it’s not required by any subsequent call.

2. Mint a JWT for the user

Save this script as mint-jwt.mjs:
mint-jwt.mjs
Run it:

3. Bootstrap the consumer session

Expected:

4. Open the webview

In your native app, load:
(Production: https://<your-host>/consumer#token=… — the CMS / consumer SPA ships from the same origin as the API.) The webview will call /me, render the catalog, and let the user claim and redeem vouchers.

5. Receive the redemption webhook

When the user redeems a voucher, your webhookUrl receives a POST. See Webhook payloads for the body shape and a verification snippet.

6. Anonymise the user

For a deletion / GDPR-style request:
Expected: HTTP 204. The user’s PII is cleared; their redemption history is preserved. You can revive the row at any time with another POST /integrations/users.

Next steps

JWT auth

Required claims, JWKS rotation, library examples.

HMAC auth

Algorithm, rotation, signing snippets.

Webhook delivery

Retry schedule, idempotency, receiver checklist.

Errors reference

Every error code, what it means, what to do.