The public surface is storefront-only
Every endpoint serves a shopper on a storefront, or a headless backend acting on that shopper’s behalf: browsing the catalog, searching, reading reviews, managing a cart, placing an order, paying, signing in. Store management does not appear on the public API — creating products, moderating reviews, issuing refunds, and changing configuration all happen in the merchant’s admin, against the database directly. That boundary is what makes a publishable key safe to embed in a browser. There is no administrative surface behind it to abuse, so the read-only guarantee is real rather than a matter of trust. It also keeps the surface small and cacheable, which the rest of the architecture depends on.Catalog ingestion is the one sanctioned exception: a merchant syncing their own product feed into GC
is machine-to-machine work that cannot live in a UI. It sits behind the strictest auth on the platform —
a secret key and an HMAC signature together. See Ingestion.

