Apps API

Build integrations with Zapier, Make.com, and custom apps using the Cartly REST Apps API and REST Hooks.

Overview

The Cartly Apps API powers official integrations like Zapier and Make.com and is available to any OAuth 2.0 authorized app. Two interaction patterns:

REST Hook triggers — subscribe a URL for push-based real-time events (used by Zapier and Make)
Action endpoints — create customers, update orders, adjust inventory, create discounts

Authentication

All Apps API requests require an OAuth 2.0 access token in the Authorization: Bearer header. Complete the OAuth 2.0 flow to obtain a token.

GET /apps/api/me

bash

curl "https://cartly.pro/apps/api/me" \
  -H "Authorization: Bearer ACCESS_TOKEN"

# Response
# { "shop": { "id": "...", "name": "My Store" }, "app": { "name": "Zapier" } }

REST Hook Events (Triggers)

Subscribe a URL to receive push-based real-time events. Zapier and Make.com use this for instant triggers.

Name	Type	Required	Description
order.created	event	No	Fired when a new order is placed
order.updated	event	No	Fired when order status changes
order.fulfilled	event	No	Fired when order is fulfilled
order.canceled	event	No	Fired when order is canceled
product.created	event	No	Fired when a new product is added
product.updated	event	No	Fired when product details change
customer.created	event	No	Fired when a customer registers
cart.abandoned	event	No	Fired when cart is abandoned after configured delay

Register and unregister REST Hooks

bash

# Register a REST Hook
curl -X POST "https://cartly.pro/apps/api/webhooks" \
  -H "Authorization: Bearer ACCESS_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"url": "https://hooks.zapier.com/...", "events": ["order.created"]}'

# Unregister
curl -X DELETE "https://cartly.pro/apps/api/webhooks/wh_01H8..." \
  -H "Authorization: Bearer ACCESS_TOKEN"

API Endpoints

Available REST endpoints for app integrations.

Name	Type	Required	Description
GET /apps/api/me	endpoint	No	Returns authenticated shop info and app details
GET /apps/api/customers	endpoint	No	List customers with optional email filter
POST /apps/api/customers	endpoint	No	Create a new customer
PUT /apps/api/customers/:id	endpoint	No	Update customer fields
PUT /apps/api/orders/:id	endpoint	No	Update order status or add note
PUT /apps/api/inventory/:variant_id	endpoint	No	Adjust inventory quantity for a variant
POST /apps/api/discounts	endpoint	No	Create a discount code
GET /apps/api/webhooks	endpoint	No	List registered REST Hook subscriptions
POST /apps/api/webhooks	endpoint	No	Register a new REST Hook URL
DELETE /apps/api/webhooks/:id	endpoint	No	Unregister a REST Hook

Action Examples

bash

curl -X POST "https://cartly.pro/apps/api/customers" \
  -H "Authorization: Bearer ACCESS_TOKEN" \
  -H "Content-Type: application/json" \
  --data '{"email": "jane@example.com", "first_name": "Jane"}'

Webhook Headers

Every REST Hook delivery includes:

X-Cartly-Hmac-Sha256 — HMAC-SHA256 signature of the raw body, prefixed with sha256=
X-Cartly-Shop-Domain — the shop storefront domain (e.g. mystore.mycartly.pro)
X-Cartly-Webhook-Id — unique ID of the webhook subscription

Zapier Integration

Install from the Cartly App Store. Automate with 6,000+ apps — no code required.

Triggers (7): New Order, Order Updated, Order Fulfilled, Order Canceled, New Product, Product Updated, New Customer
Actions (4): Create Customer, Update Order, Adjust Inventory, Create Discount
Searches (2): Find Customer by email, Find Order by number

Make.com Integration

Available on Make.com. Build multi-step scenarios with full data mapping.

Instant Triggers (6): New Orders, Order Updates, New Products, Product Updates, New Customers, Abandoned Carts
Actions (4): Create Customer, Update Order, Adjust Inventory, Create Discount
Searches (2): Search Customer, Search Order

OAuth Consent Page

For browser-redirect flows (required by Zapier and Make.com), redirect merchants to the Cartly OAuth consent page. See the Authentication guide for the full flow.

Signature verification (Node.js)

javascript

import crypto from "crypto";

function verifyCartlyWebhook(rawBody, signature, secret) {
  const hmac = crypto.createHmac("sha256", secret)
    .update(rawBody, "utf8").digest("hex");
  const expected = `sha256=${hmac}`;
  return crypto.timingSafeEqual(
    Buffer.from(signature), Buffer.from(expected)
  );
}

// Express handler
app.post("/cartly-hook",
  express.raw({ type: "application/json" }),
  (req, res) => {
    const sig = req.headers["x-cartly-hmac-sha256"];
    if (!verifyCartlyWebhook(req.body.toString(), sig, process.env.WEBHOOK_SECRET)) {
      return res.status(401).json({ error: "Invalid signature" });
    }
    res.status(200).json({ received: true });
  }
);

Overview

The Cartly Apps API powers official integrations like Zapier and Make.com and is available to any OAuth 2.0 authorized app. Two interaction patterns:

REST Hook triggers — subscribe a URL for push-based real-time events (used by Zapier and Make)

Action endpoints — create customers, update orders, adjust inventory, create discounts

Name

Type

Required

Description

order.created

event

Fired when a new order is placed

order.updated

event

Fired when order status changes

order.fulfilled

event

Fired when order is fulfilled

order.canceled

event

Fired when order is canceled

product.created

event

Fired when a new product is added

product.updated

event

Fired when product details change

customer.created

event

Fired when a customer registers

cart.abandoned

event

Fired when cart is abandoned after configured delay

# Register a REST Hook curl -X POST "https://cartly.pro/apps/api/webhooks" \ -H "Authorization: Bearer ACCESS_TOKEN" \ -H "Content-Type: application/json" \ -d '{"url": "https://hooks.zapier.com/...", "events": ["order.created"]}' # Unregister curl -X DELETE "https://cartly.pro/apps/api/webhooks/wh_01H8..." \ -H "Authorization: Bearer ACCESS_TOKEN"

Name

Type

Required

Description

GET /apps/api/me

endpoint

Returns authenticated shop info and app details

GET /apps/api/customers

endpoint

List customers with optional email filter

POST /apps/api/customers

endpoint

Create a new customer

PUT /apps/api/customers/:id

endpoint

Update customer fields

PUT /apps/api/orders/:id

endpoint

Update order status or add note

PUT /apps/api/inventory/:variant_id

endpoint

Adjust inventory quantity for a variant

POST /apps/api/discounts

endpoint

Create a discount code

GET /apps/api/webhooks

endpoint

List registered REST Hook subscriptions

POST /apps/api/webhooks

endpoint

DELETE /apps/api/webhooks/:id

endpoint

Unregister a REST Hook

curl -X POST "https://cartly.pro/apps/api/customers" \ -H "Authorization: Bearer ACCESS_TOKEN" \ -H "Content-Type: application/json" \ --data '{"email": "jane@example.com", "first_name": "Jane"}'

Zapier Integration

Install from the Cartly App Store. Automate with 6,000+ apps — no code required.

Triggers (7): New Order, Order Updated, Order Fulfilled, Order Canceled, New Product, Product Updated, New Customer

Actions (4): Create Customer, Update Order, Adjust Inventory, Create Discount

Searches (2): Find Customer by email, Find Order by number

Make.com Integration

Available on Make.com. Build multi-step scenarios with full data mapping.

Instant Triggers (6): New Orders, Order Updates, New Products, Product Updates, New Customers, Abandoned Carts

Actions (4): Create Customer, Update Order, Adjust Inventory, Create Discount

Searches (2): Search Customer, Search Order

import crypto from "crypto"; function verifyCartlyWebhook(rawBody, signature, secret) { const hmac = crypto.createHmac("sha256", secret) .update(rawBody, "utf8").digest("hex"); const expected = `sha256=${hmac}`; return crypto.timingSafeEqual( Buffer.from(signature), Buffer.from(expected) ); } // Express handler app.post("/cartly-hook", express.raw({ type: "application/json" }), (req, res) => { const sig = req.headers["x-cartly-hmac-sha256"]; if (!verifyCartlyWebhook(req.body.toString(), sig, process.env.WEBHOOK_SECRET)) { return res.status(401).json({ error: "Invalid signature" }); } res.status(200).json({ received: true }); } );