Buyer-safe by default
The first endpoint returns the same verified, buyer-visible catalog projection used by marketplace discovery.
Developers
Apparel Market now exposes a versioned, key-gated catalog API for verified marketplace discovery. It is intentionally narrow: stable read access first, local webhook scaffolding, then inventory, order, payment, and EDI surfaces as the operating model matures.
API v1
This gives partners and internal operators a documented contract before deeper connector work begins.
The first endpoint returns the same verified, buyer-visible catalog projection used by marketplace discovery.
Requests use a bearer token or x-apparel-market-api-key header. Signed-in admins manage issued credentials in operational settings.
Filters mirror the marketplace taxonomy: category, department, product type, ship-to country, availability, and price tier.
The API starts with read-only catalog discovery and leaves space for webhooks, orders, inventory, and EDI adapters.
Endpoint
Returns verified buyer-visible brands and products with optional discovery filters. Use a credential issued through the signed-in admin operations flow. This endpoint requires the catalog:read scope and does not expose public write operations.
curl "http://localhost:3004/api/v1/catalog?category=Outerwear&shipToCountry=United%20Kingdom" \ -H "Authorization: Bearer <YOUR_APPAREL_MARKET_API_KEY>"
SDK examples
These snippets are intentionally small enough for partner SDKs, internal smoke tests, and connector pilots. Catalog examples only request read scope; webhook examples verify the raw signed payload before parsing event JSON.
Full examples live in docs/developer-api-examples.md for agents and partner-facing implementation notes.
curl
Fetch buyer-visible brands and products with marketplace discovery filters.
curl "http://localhost:3004/api/v1/catalog?category=Outerwear&shipToCountry=United%20Kingdom&productLimit=12" \ -H "Authorization: Bearer <YOUR_APPAREL_MARKET_API_KEY>" \ -H "Accept: application/json"
Requires catalog:read.Returns the same buyer-visible catalog projection used by marketplace discovery.typescript
Small fetch client for server jobs, partner tools, or smoke tests.
type CatalogResponse = {
apiVersion: string;
data: { brands: Array<{ id: string; name: string }>; products: Array<{ id: string; name: string }> };
};
export async function readCatalog(apiKey: string) {
const response = await fetch("http://localhost:3004/api/v1/catalog?availabilityType=Ready-to-Ship", {
headers: {
Authorization: `Bearer ${apiKey}`,
Accept: "application/json"
}
});
if (!response.ok) {
throw new Error(`Catalog API failed: ${response.status}`);
}
return (await response.json()) as CatalogResponse;
}Handles non-2xx API responses explicitly.Does not request or assume write scopes.typescript
Verify Apparel Market webhook signatures before parsing or trusting the event.
import { createHmac, timingSafeEqual } from "node:crypto";
export function verifyApparelMarketWebhook(input: {
rawBody: string;
timestamp: string;
signature: string;
signingSecret: string;
}) {
const expectedSignature =
"v1:" +
createHmac("sha256", input.signingSecret)
.update(`${input.timestamp}.${input.rawBody}`)
.digest("hex");
const expected = Buffer.from(expectedSignature);
const received = Buffer.from(input.signature);
return received.length === expected.length && timingSafeEqual(received, expected);
}Uses the documented timestamp.payload signature format.Compares signatures with timingSafeEqual.typescript
Minimal route handler pattern that verifies the raw body before processing the event.
export async function POST(request: Request) {
const rawBody = await request.text();
const timestamp = request.headers.get("x-apparel-market-timestamp") ?? "";
const signature = request.headers.get("x-apparel-market-signature") ?? "";
const verified = verifyApparelMarketWebhook({
rawBody,
timestamp,
signature,
signingSecret: process.env.APPAREL_MARKET_WEBHOOK_SECRET ?? ""
});
if (!verified) {
return Response.json({ error: "invalid_signature" }, { status: 401 });
}
const event = JSON.parse(rawBody);
return Response.json({ received: true, eventType: event.type ?? null });
}Reads the raw body before JSON parsing.Keeps the signing secret in environment configuration.Supported filters
Use the same vocabulary as buyer discovery so integrations do not need a separate taxonomy translation layer.
qcategorycollectiondepartmentproductTypepriceTierbuyerIntentTagmaterialTagshipToCountryavailabilityTypebrandLimitproductLimitAccess management
Public docs describe the authentication contract without listing issued keys or exposing rotation controls. Signed-in marketplace admins should create, rotate, revoke, and audit developer credentials from the operations settings surface so authorization state and evidence stay together.
signed-in admins
Keep raw secrets out of public pages, commits, screenshots, and support threads. Use placeholders in docs and environment-specific credentials in server-side integrations.
catalog:readAuthorization: Bearer <YOUR_APPAREL_MARKET_API_KEY>x-apparel-market-api-keyWebhook scaffolding
Local subscription records reserve the catalog and order event contract without sending network calls. They preserve target URL, masked signing-secret evidence, subscription status, and pending event coverage for future delivery workers.
local scaffold
https://example.test/webhooks/apparel-market/ordersorder.request_submittedorder.checkout_readyorder.cancelledOrder event subscription scaffold is paused until order/integration adapters graduate to live delivery.
local scaffold
https://example.test/webhooks/apparel-market/catalogcatalog.product_publishedcatalog.product_updatedcatalog.product_archivedCatalog event subscription scaffold for docs and local QA only; no outbound delivery worker is enabled.
Operator dashboard
Delivery attempts are projected into an operator dashboard with queued retries, sent/failure totals, dead-letter replay readiness, public-write gate evidence, and response previews that stay redacted. Raw payloads, signing secrets, raw signature values, and request header values are not stored or rendered beyond hash and preview evidence.
dashboard projection
2026-07-03T21:25:39.287ZRun a dry-run or injected-live webhook worker smoke before partner replay drills.
Keep POST /api/v1/webhooks/subscriptions disabled until public-write adapter controls are satisfied.
Dashboard rows use payloadSha256 instead of raw webhook payload bodies.Signing secrets are never projected; signature evidence is limited to sha256 hash plus a short preview.Request header values are not projected; persisted rows expose sorted header names only.Response bodies are rendered only as redacted, length-limited previews.retry queue
Overdue retry: No scheduled retry. Escalate overdue queued webhook attempts before new replay work is started.
Next hour: No scheduled retry. Let the retry worker process the next-hour queue and watch for another failure response.
Later retry: No scheduled retry. Keep later retries queued and revisit after nearer retry buckets are clear.
webhooks.subscriptions:write
webhooks.subscriptions:write remains blocked until tenant-scoped adapter controls are certified, idempotent, audited, and reversible.
tenantScopedidempotentauditedreversiblecertifiedAdapterNo production route is enabled for POST /api/v1/webhooks/subscriptions.
local evidence
Signed delivery plans are available. Attempt rows will appear here after the disabled, dry-run, or injected live worker records an execution attempt.
Write readiness
Public write routes are intentionally gated. The contract below defines the future route, required scope, approved pilot surface, and exact conditions that must be true before a production endpoint can mutate marketplace data.
catalog.products:write
Product writes can make buyer-visible merchandising claims, so the public route stays closed until tenant ownership, idempotency, media ingestion, and moderation release controls are live together.
Brand-tenant ownership check for every product, variant, media asset, and collectionIdempotency key and upstream revision fingerprint per source productCatalog completeness and moderation release review before buyer-visible publishMedia pipeline handoff for image downloads, transforms, storage, and safety checksNo production route is enabled for POST /api/v1/catalog/products.
inventory.availability:write
Inventory writes affect ATP, reservation holds, allocation plans, and buyer trust, so unaudited public writes are gated behind the inventory ledger and connector reconciliation rules.
Tenant-scoped SKU and warehouse/location mappingExternal event de-duplication and source timestamp orderingInventory movement ledger entry for every accepted availability changeReservation and ATP protection so connector updates cannot erase active holdsNo production route is enabled for PATCH /api/v1/inventory/availability.
orders.routing:write
Order writeback can alter fulfillment, payment, and buyer communication state, so the route remains closed until order state gates and external references are provider-certified.
Buyer, brand, and provider tenant match for the routed orderOrder approval, checkout packet, payment, allocation, and fulfillment readiness checksIdempotent external order reference per providerOperator-visible retry, failure, and manual override evidenceNo production route is enabled for POST /api/v1/orders/{orderId}/routing.
webhooks.subscriptions:write
Webhook subscription writes require secret custody, tenant admin review, delivery queueing, and dead-letter operations before partners can mutate endpoints through a public API.
Masked signing-secret creation and rotation with no post-creation secret displayTenant admin approval for target URL ownership and event coverageOutbound queue, retry, dead-letter, and replay operationsSigned delivery verification examples and delivery attempt audit evidenceNo production route is enabled for POST /api/v1/webhooks/subscriptions.
Next step
The read API is ready for internal tooling and partner pilots; write APIs, live webhooks, and connector credentials should follow the adapter layer.