Base URL
All endpoints are served from:Authentication
The public checkout endpoints are authenticated by merchant middleware, which identifies the merchant from the request (theshop_domain on session creation). You do not pass an API key on these endpoints.
Customer authentication is handled separately through the OTP flow. After Verify OTP succeeds, you receive JWT tokens:
| Token | Default expiration | Refresh |
|---|---|---|
access_token | 1 hour | Use the refresh token |
refresh_token | 30 days | Not refreshable |
flexy_access and flexy_refresh.
Checkout flow
Create a session
Call Create Session with the cart items. Save the returned
session_id.Send an OTP
Call Send OTP with the customer’s phone. Save the returned
context_id.Resend if needed
Call Resend OTP if the customer doesn’t receive the code.
Verify the OTP
Call Verify OTP with the code. Save the returned tokens and continue with payment.
Response format
Every response wraps its result in a consistent envelope.Rate limits
| Operation | Limit | Window |
|---|---|---|
| Send / Resend OTP | 1 OTP per number | 30 seconds |
| Send / Resend OTP | 10 OTP per IP | 10 minutes |
| Verify OTP | 3 attempts | Per OTP |
| Create Session | No limit | — |