Get cart
Retrieve cart contents for customer or session.
Auth / key type: publishable key (tybrite_pk_*) or secret key
(tybrite_sk_*) — both accepted. Anonymous (session-only) carts need just the
key; authenticated carts (customer_id) also require a customer session token
(x-auth-token) proving the caller owns that customer record.
Cart Association:
- Provide
X-Session-Idheader for anonymous carts (before customer login) - Provide
customer_idquery parameter for authenticated customer carts - If both provided,
customer_idtakes precedence - If neither provided, returns 400 error
Anonymous Cart Flow:
GET /v1/cart
Authorization: Bearer tybrite_pk_live_YOUR_API_KEY
X-Session-Id: session-abc123-xyz789
Authenticated Cart Flow:
GET /v1/cart?customer_id=550e8400-e29b-41d4-a716-446655440000
Authorization: Bearer tybrite_pk_live_YOUR_API_KEY
SDK example:
Authorizations
API Key Authentication
Use your API key in the Authorization header:
Key Types:
Secret Keys (Server-Side Only):
- Format:
tybrite_sk_live_*(production) ortybrite_sk_test_*(sandbox) - Full read/write access to all endpoints
- ⚠️ NEVER expose in client-side code or public repositories
- Required for: write operations, authentication, payment verification, AI recommendations
Publishable Keys (Client-Safe):
- Format:
tybrite_pk_live_*(production) ortybrite_pk_test_*(sandbox) - Read-only access (GET requests only, plus POST semantic search)
- ✅ Safe for client-side JavaScript, mobile apps, and public code
- Allowed for: browsing products, search, CMS content, pricing queries
Endpoint-Specific Requirements:
- Authentication endpoints (
/v1/auth/*): Secret key required - Payment verification (
POST /v1/payments/verify): Secret key required - AI Recommendations (
POST /v1/recommendations): Secret key required - Semantic Search (
POST /v1/search): Both key types allowed (read-only operation) - All write operations: Secret key required
- All read operations: Both key types allowed
Using a publishable key for restricted operations returns 403 Forbidden.
Headers
Customer session access_token from /v1/auth/login or /v1/auth/verify-otp. Required whenever customer_id is supplied so the gateway can prove the caller owns that customer record. Anonymous (session-only) carts may omit it.
Bring-your-own-auth assertion for stores that manage authentication in an external identity provider (Auth0, Clerk, Cognito, Firebase, NextAuth, SSO). Provide this OR x-auth-token, not both.
Format: <base64url(JSON)>.<base64url(HMAC-SHA256(JSON))> where the JSON is { "external_id": "...", "iat": <unix>, "exp": <unix> } and the HMAC is keyed on the store's signing secret. Claim lifetime capped at 300 seconds.
Session ID for anonymous carts (UUID or random string stored in localStorage)
Query Parameters
Customer UUID for authenticated carts

