All requests made by Bolt to your ecommerce Merchant API will be signed to ensure the authenticity of our requests. Your implementation should always verify the signature to make sure that it’s always Bolt calling your endpoint.
Bolt signs the payload and includes the HMAC signature in the request header X-Bolt-Hmac-Sha256. There are two ways to verify the payload with this signature.
Creating orders through the frontend (rather than through a pre-auth endpoint) can occasionally prevent an order from linking to a Bolt ID. This disconnect is typically caused by internet disruptions, browser crashes, and similar occurrences on the shopper’s end.
To handle unlinked transactions, make sure that the pending transaction hook is capable of converting an existing cart order_reference into an order.
Bolt provides two account environments: Sandbox and Production. Each environment includes a unique Merchant Dashboard. All transactions that flow through Bolt’s checkout can be found in your Merchant Dashboard.
Each merchant account has a unique API Key and Signing Secret that Bolt uses to accurately verify and associate transactions with the account’s divisions.
A Bolt merchant account can have one or many divisions. A division represents a uniquely configured instance of Bolt Checkout to fit a specific use case or workflow (e.g., storefront and back office). Division setup often includes enabling different features and creating separate webhooks for every division.
Each merchant division has a unique Publishable Key that is used to access your transaction data outside of the Bolt Merchant Dashboard.
Collaborating with many developers across multiple sandboxes does not require multiple divisions. Simply add each URL to your Approved Domains list.
Merchant account types are associated to individual processors. Because each processor has unique workflows and setup requirements, switching your payment processor requires setting up a new Bolt merchant account that aligns with the newly chosen processor.
|API Key||Used for calling Bolt API from your backend server|
|Signing Secret||Used for signature verification on requests received from bolt|
|Publishable Key||Embedded on your website and used by Bolt to identify your website|