Add to cart
Add item to cart with automatic stock checking. If the same variant already exists in the cart, the quantity is incremented.
Auth / key type: publishable or secret key. This is a storefront write
that is deliberately pk-accessible (it originates in the browser). Anonymous
carts need only the key + X-Session-Id; authenticated carts (customer_id
in the body) also require the customer session token (x-auth-token).
Variant Selection:
variant_idis required to specify which variant to add (e.g., Black vs Blue color)- For simple products (no variants), use the default variant’s ID
- Stock validation is performed against the specific variant
Cart Association:
- Provide
X-Session-Idheader for anonymous carts (before customer login) - Provide
customer_idin request body for authenticated customer carts - If both provided,
customer_idtakes precedence - If neither provided, returns 400 error
Key Type Support:
- Publishable keys (
tybrite_pk_*) — fully supported (browser/storefront) - Secret keys (
tybrite_sk_*) — also supported (server-side)
Anonymous Cart Example:
POST /v1/cart/items
Authorization: Bearer tybrite_pk_live_YOUR_API_KEY
X-Session-Id: session-abc123-xyz789
Content-Type: application/json
{
"variant_id": "9a47e047-b1b6-4c35-9617-820629e22e04",
"quantity": 2
}
Authenticated Cart Example:
POST /v1/cart/items
Authorization: Bearer tybrite_pk_live_YOUR_API_KEY
Content-Type: application/json
{
"variant_id": "9a47e047-b1b6-4c35-9617-820629e22e04",
"quantity": 2,
"customer_id": "650e8400-e29b-41d4-a716-446655440000"
}
SDK example (adds the Sony WH-1000XM4 default variant, $349.99):
Authorizations
API Key Authentication
Use your API key in the Authorization header:
Key Types:
Secret Keys (Server-Side Only):
- Format:
tybrite_sk_live_*(production) ortybrite_sk_test_*(sandbox) - Full read/write access to all endpoints
- ⚠️ NEVER expose in client-side code or public repositories
- Required for: write operations, authentication, payment verification, AI recommendations
Publishable Keys (Client-Safe):
- Format:
tybrite_pk_live_*(production) ortybrite_pk_test_*(sandbox) - Read-only access (GET requests only, plus POST semantic search)
- ✅ Safe for client-side JavaScript, mobile apps, and public code
- Allowed for: browsing products, search, CMS content, pricing queries
Endpoint-Specific Requirements:
- Authentication endpoints (
/v1/auth/*): Secret key required - Payment verification (
POST /v1/payments/verify): Secret key required - AI Recommendations (
POST /v1/recommendations): Secret key required - Semantic Search (
POST /v1/search): Both key types allowed (read-only operation) - All write operations: Secret key required
- All read operations: Both key types allowed
Using a publishable key for restricted operations returns 403 Forbidden.
Headers
Customer session access_token from /v1/auth/login or /v1/auth/verify-otp. Required whenever customer_id is supplied so the gateway can prove the caller owns that customer record. Anonymous (session-only) carts may omit it.
Bring-your-own-auth assertion for stores that manage authentication in an external identity provider (Auth0, Clerk, Cognito, Firebase, NextAuth, SSO). Provide this OR x-auth-token, not both.
Format: <base64url(JSON)>.<base64url(HMAC-SHA256(JSON))> where the JSON is { "external_id": "...", "iat": <unix>, "exp": <unix> } and the HMAC is keyed on the store's signing secret. Claim lifetime capped at 300 seconds.
Session ID for anonymous carts (UUID or random string stored in localStorage). Optional if customer_id is provided in the body.
Body
Specific product variant UUID (required for multi-variant products)
"9a47e047-b1b6-4c35-9617-820629e22e04"
Quantity to add
x >= 12
Customer UUID for authenticated carts (optional if using X-Session-Id)
"650e8400-e29b-41d4-a716-446655440000"

