Workspace APIs expect your tenant context via workspace_id (query or body) on server-trusted routes, or a workspace session from /workspace/auth/login.
For integrations you build yourself, issue a test API key from the Developer sandbox (below). Send it on every request:
Authorization: Bearer bc_test_xxxxxxxx
X-Workspace-Id: 123
Never expose live keys in browser code. Rotate keys from the sandbox UI if leaked.
GET https://api.beyondcommerce.app/api/v1/orders?workspace_id={id}
PATCH https://api.beyondcommerce.app/api/v1/orders/{id}/status
Body: { "status": "confirmed", "workspace_id": 123 }
Responses are JSON. Use idempotent retries with a client request id for writes.
Beyond Commerce sends signed webhooks for payments (Stripe, Paymob), shipping (Bosta), and messaging channels.
Verify signatures using the secret shown in Integrations. Log deliveries appear in the webhook log viewer when tenant_id is present.
Example Paymob payload shape:
{ "type": "TRANSACTION", "obj": { "id": "...", "success": true } }
Public marketing endpoints are rate-limited per IP. Workspace routes should stay under 60 requests/minute per tenant for sustained polling. Prefer webhooks over tight polling loops.