OpenAPI
Shoplazza OpenAPI lets apps read and write Shoplazza store data. Use this reference to understand the request model, authentication requirements, rate limits, and error responses for version 2026-01.
Authentication
All OpenAPI requests require authentication. Include the app access token in the access-token request header.
| Field | Value |
|---|---|
| Security scheme type | apiKey |
| Header parameter name | access-token |
Public apps receive access tokens through the app authorization flow. Private or internal integrations should use the token issued for the store and app.
Rate limits
Shoplazza APIs are rate-limited to protect platform stability. If requests are too frequent, slow down the client, queue background jobs, cache repeated reads, and retry after a short delay.
Use the response status and body to decide whether to retry. Avoid retrying validation errors without changing the request.
Status and error codes
For the current API version, common error responses are grouped into three status codes.
| Status code | Meaning | What to check |
|---|---|---|
400 Bad Request | Store, token, or request validation problem. | Confirm the store context, verify the access token, and validate parameter names, types, required fields, and request body format. |
403 Forbidden | The app does not have enough permission for the action. | Check the app scopes and make sure the merchant granted the required access. |
500 Internal Server Error | The platform could not complete the underlying business operation. | Review business constraints such as inventory availability or other domain rules. Retry only when the operation is safe to repeat. |