Update customer
Partially update the authenticated customer’s profile. Only the fields provided in the request body are updated.
Customer-self authentication required. Provide exactly one of:
x-auth-token— Galactic Core customer session JWT.x-external-auth— bring-your-own-auth assertion (HMAC-signed claim carryingexternal_idand a(iat, exp)window ≤ 300 seconds).
Mismatch returns 403. Providing both headers returns 400. Protected
fields (store_id, auth_user_id, environment) cannot be modified.
Authorizations
API Key Authentication
Use your API key in the Authorization header:
Key Types:
Secret Keys (Server-Side Only):
- Format:
tybrite_sk_live_*(production) ortybrite_sk_test_*(sandbox) - Full read/write access to all endpoints
- ⚠️ NEVER expose in client-side code or public repositories
- Required for: write operations, authentication, payment verification, AI recommendations
Publishable Keys (Client-Safe):
- Format:
tybrite_pk_live_*(production) ortybrite_pk_test_*(sandbox) - Read-only access (GET requests only, plus POST semantic search)
- ✅ Safe for client-side JavaScript, mobile apps, and public code
- Allowed for: browsing products, search, CMS content, pricing queries
Endpoint-Specific Requirements:
- Authentication endpoints (
/v1/auth/*): Secret key required - Payment verification (
POST /v1/payments/verify): Secret key required - AI Recommendations (
POST /v1/recommendations): Secret key required - Semantic Search (
POST /v1/search): Both key types allowed (read-only operation) - All write operations: Secret key required
- All read operations: Both key types allowed
Using a publishable key for restricted operations returns 403 Forbidden.
Headers
Galactic Core customer session access_token. The resolved customer must match the {id} path parameter. Provide this OR x-external-auth, not both.
Bring-your-own-auth assertion. Format: <base64url(JSON)>.<base64url(HMAC-SHA256(JSON))> where the JSON is { "external_id": "...", "iat": <unix>, "exp": <unix> } signed with the store's hmac_secret. Claim lifetime capped at 300 seconds. Provide this OR x-auth-token, not both.
Path Parameters
Body
active, inactive Optional identifier from an external identity provider. Set or update the link between this Galactic Core customer and your upstream user.
"auth0|66a3f8c2b1d9c204a1f7e3d1"
Response
Customer updated successfully

