API reference
Integrations
Integrations is where partner admins provision the credentials and event hooks their own systems will use to talk to Repurch. API keys authenticate server-to-server requests; the redemption webhook delivers credit events to the partner's checkout.
Secret handling
The full secret on a key-create response is shown once. Repurch stores only a hash; the plaintext value cannot be recovered. If a key is lost, revoke it and mint a fresh one. Store secrets in a managed vault (AWS Secrets Manager, GCP Secret Manager, Vault, 1Password Secrets Automation) and inject them via environment variables — never check them into source control.
List API keys and webhooks
Returns every active and revoked API key for the brand, plus the configured redemption webhook URL.
GET
/v1/partner/settings/integrationsAuth:
Authorization: Bearer … · Scopes: readExample request
curl
curl https://api.repurch.com/v1/partner/settings/integrations \
-H "Authorization: Bearer re_pk_..."Example response
json
{
"brand_id": "furniture-co",
"keys": [
{
"id": 14,
"brand_id": "furniture-co",
"label": "Production server",
"prefix": "re_pk_a1b2c3d4",
"scopes": [
"read",
"write"
],
"created_by": 42,
"created_at": "2026-05-04 10:14:22",
"last_used_at": "2026-06-10 08:13:55",
"last_used_ip": "82.46.123.10",
"revoked_at": null
},
{
"id": 9,
"brand_id": "furniture-co",
"label": "CI test runner (rotated)",
"prefix": "re_pk_z9y8x7w6",
"scopes": [
"read",
"write"
],
"created_by": 42,
"created_at": "2026-03-12 15:02:09",
"last_used_at": "2026-05-04 09:55:18",
"last_used_ip": "10.0.0.41",
"revoked_at": "2026-05-04 10:15:00"
}
],
"webhook": {
"redemption_webhook_url": "https://furnitureco.example/repurch/redemptions"
}
}Response fields
keys[].prefix string | First 11 characters of the key. The full secret is never returned after creation. |
keys[].scopes array | Scopes granted to the key. Standard keys carry [read, write]. |
keys[].last_used_at string or null | Timestamp of the most recent authenticated call made with this key (UTC). |
keys[].last_used_ip string or null | IP address of the most recent caller. Truncated to 45 characters. |
keys[].revoked_at string or null | Timestamp the key was revoked. Null while active. |
webhook.redemption_webhook_url string | HTTPS endpoint that receives redemption events. Empty string if not configured. |
Errors
| Status | Code | Message |
|---|---|---|
| 401 | missing_bearer_token | No Authorization: Bearer header provided. |
| 401 | invalid_token | Token is malformed, expired, or signed with the wrong key. |
| 403 | forbidden | Partner admin role required. |
Create an API key
Mints a new API key for the brand and returns the full secret. The full secret is shown only once on this response; subsequent reads return the prefix only. Must be called with a browser-issued JWT, not another API key.
POST
/v1/partner/settings/integrations/keysAuth:
Authorization: Bearer … · Scopes: writeRequest body
label stringrequired | Short identifier so the key can be told apart from others later, e.g. "Production server" or "CI test runner". |
Example request
curl
curl https://api.repurch.com/v1/partner/settings/integrations/keys \
-H "Authorization: Bearer eyJhbGc..." \
-H "Content-Type: application/json" \
-d '{ "label": "Production server" }'Example response
json
{
"secret": "re_pk_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6",
"key": {
"id": 14,
"brand_id": "furniture-co",
"label": "Production server",
"prefix": "re_pk_a1b2c3d4",
"scopes": [
"read",
"write"
],
"created_by": 42,
"created_at": "2026-06-10 09:42:11",
"last_used_at": null,
"last_used_ip": null,
"revoked_at": null
}
}Response fields
secret string | The full API key. Shown ONCE on this response and never returned again. Store it in your secret manager immediately. |
key object | Metadata about the persisted key. Same shape as keys[] on the list endpoint. |
Errors
| Status | Code | Message |
|---|---|---|
| 401 | missing_bearer_token | No Authorization: Bearer header provided. |
| 401 | invalid_token | Token is malformed, expired, or signed with the wrong key. |
| 403 | forbidden | Partner admin role required. |
| 400 | label_required | Give the key a short label so you can identify it later. |
| 403 | forbidden | API keys cannot mint other API keys. Sign in with a browser to create keys. |
| 500 | key_create_failed | Could not create the API key. Try again in a moment. |
Revoke an API key
Permanently revokes an API key. Any in-flight request authenticated with it will fail after the next cache cycle (within seconds).
DELETE
/v1/partner/settings/integrations/keys/{id}Auth:
Authorization: Bearer … · Scopes: writePath parameters
id integerrequired | API key id. |
Example request
curl
curl -X DELETE https://api.repurch.com/v1/partner/settings/integrations/keys/14 \
-H "Authorization: Bearer re_pk_..."Example response
json
{
"revoked": true
}Errors
| Status | Code | Message |
|---|---|---|
| 401 | missing_bearer_token | No Authorization: Bearer header provided. |
| 401 | invalid_token | Token is malformed, expired, or signed with the wrong key. |
| 403 | forbidden | Partner admin role required. |
| 404 | key_not_found | That key was not found or has already been revoked. |
Set the redemption webhook URL
Configures the HTTPS endpoint that receives redemption events. Send an empty string to clear it.
PATCH
/v1/partner/settings/integrations/webhookAuth:
Authorization: Bearer … · Scopes: writeRequest body
redemption_webhook_url string | HTTPS endpoint to POST redemption events to. Pass an empty string to disable webhooks. |
Example request
curl
curl -X PATCH https://api.repurch.com/v1/partner/settings/integrations/webhook \
-H "Authorization: Bearer re_pk_..." \
-H "Content-Type: application/json" \
-d '{
"redemption_webhook_url": "https://furnitureco.example/repurch/redemptions"
}'Example response
json
{
"webhook": {
"redemption_webhook_url": "https://furnitureco.example/repurch/redemptions"
}
}Errors
| Status | Code | Message |
|---|---|---|
| 401 | missing_bearer_token | No Authorization: Bearer header provided. |
| 401 | invalid_token | Token is malformed, expired, or signed with the wrong key. |
| 403 | forbidden | Partner admin role required. |
| 400 | webhook_url_invalid | Webhook URL must be a valid HTTPS endpoint. |