Skip to main content
POST
Place a wholesale order directly (self-serve checkout)

Authorizations

Authorization
string
header
required

API Key Authentication

Use your API key in the Authorization header:

Key Types:

Secret Keys (Server-Side Only):

  • Format: tybrite_sk_live_* (production) or tybrite_sk_test_* (sandbox)
  • Full read/write access to all endpoints
  • ⚠️ NEVER expose in client-side code or public repositories
  • Required for: write operations, authentication, payment verification, AI recommendations

Publishable Keys (Client-Safe):

  • Format: tybrite_pk_live_* (production) or tybrite_pk_test_* (sandbox)
  • Read-only access (GET requests only, plus POST semantic search)
  • ✅ Safe for client-side JavaScript, mobile apps, and public code
  • Allowed for: browsing products, search, CMS content, pricing queries

Endpoint-Specific Requirements:

  • Authentication endpoints (/v1/auth/*): Secret key required
  • Payment verification (POST /v1/payments/verify): Secret key required
  • AI Recommendations (POST /v1/recommendations): Secret key required
  • Semantic Search (POST /v1/search): Both key types allowed (read-only operation)
  • All write operations: Secret key required
  • All read operations: Both key types allowed

Using a publishable key for restricted operations returns 403 Forbidden.

Headers

x-auth-token
string

Buyer session token (GC-native). Provide this or x-external-auth.

x-external-auth
string

Bring-your-own-auth assertion identifying the buyer. Provide this or x-auth-token.

Idempotency-Key
string
required

A unique key so a retried order is not duplicated.

X-Timestamp
string
required

Unix timestamp (milliseconds) used in the request signature. Required — a direct order must be signed, like a standard order. Must be within 5 minutes of the server time.

X-Signature
string
required

Base64 HMAC-SHA256 of {X-Timestamp}.{raw JSON body} using the store's signing secret. Required — a direct order must be signed, like a standard order.

Body

application/json
items
object[]
required

The items to order. Prices are resolved by Galactic Core; do not send prices.

note
string

An optional note on the order.

shipping_address
string

An optional free-text shipping address for this order.

shipping_address_parts
object

An optional structured shipping address. When provided, tax is calculated accurately for the destination; otherwise the store's configured rate applies.

currency
string

The order currency, e.g. USD.

Response

Order placed. The settlement field is terms (an invoice was issued) or pay_now (an order awaiting payment). Fields present depend on which. tax_amount is always resolved server-side; total/amount are tax-inclusive.

The result of a direct wholesale order. settlement is terms (a terms invoice was issued — invoice_id, invoice_number, and due_date are present) or pay_now (the order awaits payment — order_id, order_number, and amount are present; complete payment through the standard payment flow using order_id). purchase_order_id, po_number, and currency are always present.

settlement
enum<string>
required

How the order settles — on terms (invoice) or pay now (awaiting payment).

Available options:
terms,
pay_now
purchase_order_id
string<uuid>
required
po_number
string
required
currency
string
Example:

"USD"

total
number

The order total, tax included (present on a terms order).

tax_amount
number

The tax on the order, resolved server-side — jurisdiction-accurate when a shipping address is supplied, otherwise the store's configured rate, and zero for a tax-exempt buyer.

invoice_id
string<uuid> | null

The issued invoice (terms only).

invoice_number
string | null

The issued invoice number (terms only).

due_date
string<date> | null

When the invoice is due (terms only).

order_id
string<uuid> | null

The order to pay (pay-now only).

order_number
string | null

The order number (pay-now only).

amount
number

The amount to pay, tax included (present on a pay-now order).