← All Documentation

Getting Started

Build your first Mercentia app in under 30 minutes. This guide walks you through account setup, authentication, making API calls, and submitting for review.

On This Page

Prerequisites

  • A web server that can handle HTTPS requests (Node.js, Python, Go, PHP, Ruby, etc.)
  • A public URL for your OAuth callback and webhook endpoint (use ngrok for local development)
  • Basic understanding of OAuth 2.0 and REST APIs

1. Create a Developer Account

  1. Go to Developer Sign In and create an account
  2. Navigate to Developer Dashboard
  3. Note your account details — you'll need these for API authentication
API Endpoint: You can also register programmatically via POST /api/v1/marketplace/developer/register

2. Create Your App

Submit your app through the submission form or via the API:

POST /api/v1/marketplace/developer/apps
{
  "name": "My Awesome App",
  "slug": "my-awesome-app",
  "tagline": "Boost your store with AI-powered recommendations",
  "description": "Full description of your app...",
  "category": "marketing",
  "subcategory": "Personalisation",
  "pricingModel": "freemium",
  "pricingConfig": {
    "trialDays": 14,
    "plans": [
      { "name": "Free", "price": "$0/mo", "features": ["100 recommendations/mo"] },
      { "name": "Pro", "price": "$29/mo", "features": ["Unlimited", "A/B testing"] }
    ]
  },
  "permissions": ["read_products", "read_orders", "read_customers"],
  "oauthRedirectUri": "https://myapp.com/auth/callback",
  "webhookUrl": "https://myapp.com/webhooks/mercentia",
  "languages": ["en", "fr", "de"],
  "regions": ["Global"],
  "privacyPolicyUrl": "https://myapp.com/privacy",
  "termsUrl": "https://myapp.com/terms"
}

The response includes your clientId and clientSecretPlaintext. Save the client secret — it is shown only once.

Security: Never expose your client secret in frontend code, Git repositories, or logs. Store it in environment variables or a secrets manager.

3. Implement OAuth

When a merchant installs your app, Mercentia redirects them through the OAuth flow:

Step 1: Authorization Request

Redirect the merchant to:

GET https://gateway.mercentia.com/oauth/authorize
  ?client_id=sf_app_abc123
  &redirect_uri=https://myapp.com/auth/callback
  &scope=read_products,read_orders
  &state=random_csrf_token
  &response_type=code
  &code_challenge=S256_challenge_here
  &code_challenge_method=S256

Step 2: Handle the Callback

Mercentia redirects to your redirect_uri with an authorization code:

GET https://myapp.com/auth/callback
  ?code=auth_code_here
  &state=random_csrf_token
  &store_id=store_uuid

Step 3: Exchange Code for Tokens

POST /oauth/token
{
  "grant_type": "authorization_code",
  "client_id": "sf_app_abc123",
  "client_secret": "your_client_secret",
  "code": "auth_code_here",
  "redirect_uri": "https://myapp.com/auth/callback",
  "code_verifier": "original_code_verifier"
}

Response:

{
  "access_token": "sf_at_xxxxx",
  "refresh_token": "sf_rt_xxxxx",
  "token_type": "Bearer",
  "expires_in": 86400,
  "scope": "read_products,read_orders",
  "store_id": "store_uuid"
}

Step 4: Refresh Tokens

Access tokens expire in 24 hours. Use the refresh token to get a new one without merchant interaction:

POST /oauth/token
{
  "grant_type": "refresh_token",
  "client_id": "sf_app_abc123",
  "client_secret": "your_client_secret",
  "refresh_token": "sf_rt_xxxxx"
}

4. Make Your First API Call

Use the access token to call the Mercentia API:

Node.js Example
const response = await fetch('https://gateway.mercentia.com/api/v1/products', {
  headers: {
    'Authorization': `Bearer ${accessToken}`,
    'X-Store-Id': storeId,
    'Content-Type': 'application/json',
  },
});

const { data } = await response.json();
console.log(`Found ${data.length} products`);
Python Example
import requests

response = requests.get(
    'https://gateway.mercentia.com/api/v1/products',
    headers={
        'Authorization': f'Bearer {access_token}',
        'X-Store-Id': store_id,
    }
)

data = response.json()['data']
print(f'Found {len(data)} products')
cURL Example
curl -X GET https://gateway.mercentia.com/api/v1/products \
  -H "Authorization: Bearer sf_at_xxxxx" \
  -H "X-Store-Id: store_uuid" \
  -H "Content-Type: application/json"

5. Handle Webhooks

Mercentia sends real-time events to your webhook URL when things happen in a merchant's store.

Node.js Webhook Handler
import crypto from 'crypto';

app.post('/webhooks/mercentia', (req, res) => {
  // 1. Verify signature
  const signature = req.headers['x-mercentia-signature'];
  const timestamp = req.headers['x-mercentia-timestamp'];
  const body = JSON.stringify(req.body);

  const expected = crypto
    .createHmac('sha256', process.env.WEBHOOK_SECRET)
    .update(`${timestamp}.${body}`)
    .digest('hex');

  if (signature !== expected) {
    return res.status(401).json({ error: 'Invalid signature' });
  }

  // 2. Check timestamp (reject if older than 5 minutes)
  const age = Date.now() - parseInt(timestamp);
  if (age > 300000) {
    return res.status(401).json({ error: 'Timestamp too old' });
  }

  // 3. Process the event
  const { event, payload } = req.body;

  switch (event) {
    case 'order.created':
      handleNewOrder(payload);
      break;
    case 'product.updated':
      handleProductUpdate(payload);
      break;
    case 'app.uninstalled':
      handleUninstall(payload);
      break;
  }

  // 4. Respond quickly (within 5 seconds)
  res.status(200).json({ received: true });
});

See the full Webhook Reference for all event types and payload formats.

6. Test Your App

Development Testing Checklist

  • Install flow — merchant clicks install, OAuth completes, your app receives tokens
  • Core functionality — your app works correctly with real store data
  • Webhook handling — events are received, verified, and processed
  • Error handling — graceful failures, user-friendly error messages
  • Uninstall flow — clean removal of all data, webhooks, and store modifications
  • Token refresh — app continues working after access token expires
  • Rate limits — app respects API rate limits without aggressive retry
  • Accessibility — keyboard navigation, screen reader, colour contrast
  • Responsive design — works on 320px to 4K screens
Tip: Use the test store credentials field in the submission form to give our reviewers access to a pre-configured demo. This speeds up review significantly.

7. Submit for Review

  1. Go to Submit Your App
  2. Fill in all required fields — metadata, pricing, permissions, compliance
  3. Provide test credentials for our review team
  4. Accept the Developer Terms of Service and Data Processing Agreement
  5. Submit and wait for review (7-14 business days for Community tier)

See our Review Guidelines to understand what we check and how to pass on the first try.

App Architecture

Mercentia apps are external web services that communicate via OAuth and webhooks. You host your own app.

Merchant's Store

Dashboard UI

Mercentia Platform

Gateway API · OAuth · Webhooks · Billing

Your App

Your server · Your hosting · Your database

  • You host your app — on Vercel, AWS, Railway, Heroku, or any infrastructure
  • Mercentia handles — authentication, billing, app listing, webhook delivery
  • Communication is via HTTPS — REST API calls and webhook POST requests
  • Data stays minimal — only request permissions your app actually needs