Storefront BFF API

The Storefront BFF API is a REST API that provides a stable, domain-oriented interface for building customer experiences on the Horizon Storefront.

The API uses predictable resource-oriented URLs, accepts JSON request bodies, returns JSON responses, and uses standard HTTP response codes and authentication.

Base URL

All API requests should be made to this base URL. See Environments for staging and development URLs.

https://storefront.api.templeandwebster.com

Resource groups

Endpoints are organised by domain.

API Domains

Domain	Description
Authentication	`/auth/login`, `/auth/logout`
Products	Product detail, variants, media
Categories	Navigation, merchandising
Cart	Cart lifecycle, line items
Orders	Order detail and history
Customers	Profiles, addresses, preferences
Content	CMS-driven marketing content
Search	Search suggestions and queries
Health	Readiness and liveness endpoints

Just getting started?

Check out our development quickstart guide.

Authentication

The Storefront API uses different authentication methods depending on the caller type.

Auth schemes

The API supports two authentication schemes depending on the use case.

Public endpoints

Public endpoints require no authentication. These include:

Product and category browse
Search suggestions
CMS content and static pages

These endpoints do not expose PII and can be cached at the edge.

Customer authentication

Customer flows (cart, checkout, orders, profile) require a BFF session token obtained via login.

Call POST /auth/login with credentials and reCAPTCHA response
Receive accessToken, tokenType, expiresIn, and customer object
Include the token in X-BFF-Token header on subsequent requests

curl -X POST https://storefront.api.templeandwebster.com/auth/login \
  -H "Content-Type: application/json" \
  -d '{
    "emailAddress": "customer@example.com",
    "password": "SecurePassword123!",
    "gRecaptchaResponse": "03AGdBq27..."
  }'

Response

The login response contains:

accessTokenstringrequired: JWT token to include in subsequent requests.
tokenTypestringrequired: Token type, always "Bearer".
expiresInintegerrequired: Token validity in seconds.
customerobjectrequired: Customer profile object with id, emailAddress, firstName, lastName.

{
  "accessToken": "eyJhbGciOiJIUzI1NiIs...",
  "tokenType": "Bearer",
  "expiresIn": 3600,
  "customer": {
    "id": "cust-123",
    "emailAddress": "customer@example.com",
    "firstName": "Jane",
    "lastName": "Smith"
  }
}

Authenticated request

Include the token in the X-BFF-Token header for all authenticated requests.

curl https://storefront.api.templeandwebster.com/customers/me \
  -H "X-BFF-Token: eyJhbGciOiJIUzI1NiIs..."

Token lifetime

expiresIn indicates token validity in seconds
401 Unauthorized indicates an expired or invalid token
403 Forbidden indicates insufficient permissions

Tokens are short-lived. Handle expiry by re-authenticating or using the refresh flow at POST /auth/token.

Server-to-server

Internal services use Google Cloud identity tokens.

These endpoints must not be exposed to the public internet.

curl https://storefront.api.templeandwebster.com/internal/endpoint \
  -H "Authorization: Bearer ya29.c.Kp8B..."

Errors

The Storefront BFF uses conventional HTTP response codes to indicate the success or failure of an API request. In general: Codes in the 2xx range indicate success. Codes in the 4xx range indicate an error that failed given the information provided (e.g., a required parameter was omitted, a validation failed, etc.). Codes in the 5xx range indicate an error with the server (these should be rare).

Some 4xx errors that could be handled programmatically include an error code that briefly explains the error reported.

Attributes

codestring: For some errors that could be handled programmatically, a short string indicating the error code reported.
messagestringrequired: A human-readable message providing more details about the error. These messages can be shown to your users or logged for debugging.
statusintegerrequired: HTTP status code (e.g., 400, 401, 404, 422, 429, 500).
errorsarray: For validation errors, a list of detailed field-level errors. Each error contains field, code, and message properties.
typeenum: The type of error returned. One of api_error, auth_error, validation_error, not_found_error, conflict_error, or rate_limit_error.

HTTP Status Code Summary

Status	Name	Description
200	OK	Everything worked as expected.
201	Created	Resource was successfully created.
204	No Content	Request succeeded with no response body.
400	Bad Request	The request was malformed or semantically invalid.
401	Unauthorized	No valid authentication credentials provided.
403	Forbidden	The authenticated user doesn't have permissions.
404	Not Found	The requested resource doesn't exist.
409	Conflict	The request conflicts with the current state.
422	Unprocessable Entity	Validation failed for one or more fields.
429	Too Many Requests	Too many requests hit the API too quickly.
500	Internal Server Error	Something went wrong on the server's end.
502	Bad Gateway	A downstream service returned an invalid response.
503	Service Unavailable	A downstream service is temporarily unavailable.
504	Gateway Timeout	A downstream service did not respond in time.

Error Types

Type	Description
`api_error`	API errors cover any other type of problem, and are extremely uncommon.
`auth_error`	Authentication errors occur when credentials are missing, invalid, or expired.
`validation_error`	Validation errors arise when your request has invalid parameters.
`not_found_error`	Not found errors occur when the requested resource doesn't exist.
`conflict_error`	Conflict errors occur when the request conflicts with current state.
`rate_limit_error`	Rate limit errors occur when too many requests hit the API too quickly.

Detailed Error

Within the errors array, each detailed error contains:

fieldstring: If the error is field-specific, the field path related to the error. For example, you can use this to display a message near the correct form field (e.g., email, shippingAddress.postcode).
codestring: Machine-readable error code for this specific field error (e.g., REQUIRED, INVALID_FORMAT, OUT_OF_RANGE).
messagestring: Human-readable explanation for this field error.

{
  "status": 422,
  "message": "Validation error",
  "code": "VALIDATION_ERROR",
  "type": "validation_error",
  "errors": [
    {
      "field": "email",
      "code": "REQUIRED",
      "message": "Email address is required"
    },
    {
      "field": "shippingAddress.postcode",
      "code": "INVALID_FORMAT",
      "message": "Postcode must be 4 digits"
    }
  ]
}

Handling errors

Our API libraries raise exceptions for many reasons, such as invalid parameters, authentication errors, and network unavailability. We recommend writing code that gracefully handles all possible API exceptions.

try {
  const response = await fetch('/api/orders', {
    method: 'POST',
    headers: { 'Content-Type': 'application/json' },
    body: JSON.stringify(orderData),
  });

  if (!response.ok) {
    const error = await response.json();

    switch (error.type) {
      case 'validation_error':
        error.errors?.forEach((e) => {
          console.error(`${e.field}: ${e.message}`);
        });
        break;
      case 'auth_error':
        // Redirect to login
        break;
      case 'rate_limit_error':
        // Retry with backoff
        break;
      default:
        console.error(error.message);
    }
  }
} catch (err) {
  console.error('Network error:', err);
}

Requests

The Storefront BFF is a JSON-over-HTTP API. This page covers the common patterns used across endpoints.

HTTP methods

Standard HTTP methods for CRUD operations.

Required headers

Any request with a body must set Content-Type: application/json.

Content-Type: application/json
Accept: application/json

Resource IDs

Resources have stable, unique identifiers. Treat IDs as opaque strings.

{
  "id": "cust-660e9511-f3ac-42e5-b827-6f7g9b8e0c4d",
  "version": 3,
  "createdAt": "2024-02-10T14:20:00Z",
  "lastModifiedAt": "2024-11-24T09:30:00Z"
}

Money

Monetary values use minor units (cents).

Do not send floating-point dollar values. Always use the structured Money object.

typestringrequired: Precision type, always "centPrecision".
currencyCodestringrequired: ISO 4217 currency code (e.g., AUD, NZD).
centAmountintegerrequired: Amount in minor units (cents).
fractionDigitsintegerrequired: Number of decimal places for the currency.

{
  "type": "centPrecision",
  "currencyCode": "AUD",
  "centAmount": 1999,
  "fractionDigits": 2
}

Localised strings

Text that varies by locale uses LocalizedString.

Keys are IETF language tags (e.g., en-AU).

{
  "en-AU": "Premium 3 Seater Sofa Bed",
  "en-NZ": "Premium 3 Seater Sofa Bed"
}

Timestamps

All timestamps use RFC 3339 / ISO 8601 format in UTC.

Always include the trailing Z for UTC. Do not send local time zone offsets.

{
  "createdAt": "2024-02-10T14:20:00Z",
  "lastModifiedAt": "2024-11-24T09:30:00Z"
}

Paged responses

Collection endpoints return a paged envelope.

See Pagination for details.

limitintegerrequired: Maximum number of results requested.
offsetintegerrequired: Number of results to skip.
countintegerrequired: Number of results in this response.
totalintegerrequired: Total number of results available.
resultsarrayrequired: Array of result objects.

{
  "limit": 20,
  "offset": 0,
  "count": 20,
  "total": 350,
  "results": [...]
}

Error responses

All errors use a standard structure.

See Errors for the full list of status codes and error types.

{
  "status": 422,
  "message": "Validation error",
  "code": "VALIDATION_ERROR",
  "errors": [
    {
      "field": "email",
      "code": "REQUIRED",
      "message": "Field is required"
    }
  ]
}

Environments

The Storefront API runs in multiple environments with the same contract but different base URLs.

Base URLs

Choose the environment appropriate for your use case.

Environment URLs

Environment	Base URL
Production	`https://storefront.api.templeandwebster.com`
Staging	`https://storefront.staging.api.templeandwebster.com`
Development	`https://storefront.dev.api.templeandwebster.com`
Local	`http://localhost:8080`

Production

Live customer traffic with real data. Subject to SLOs, monitoring, and change controls.

Use for:

Validating behaviour with feature flags after deployment
Investigating production issues with appropriate access

Never run synthetic load tests or use fake customer data against production.

https://storefront.api.templeandwebster.com

Staging

Mirrors production topology. Used for pre-release verification and regression testing.

Use for:

End-to-end test scenarios
QA and UAT flows
Verifying migrations and contract changes

Data may be synthetic or sanitised production records.

https://storefront.staging.api.templeandwebster.com

Development

Shared integration environment for feature development.

Use for:

Testing API changes from feature branches
Manual testing from local frontend instances
Early integration testing with other teams

Data and configuration may change frequently.

https://storefront.dev.api.templeandwebster.com

Local

Runs the BFF on http://localhost:8080.

Typical setup:

Storefront Next on http://localhost:3000
Frontend proxies API calls to localhost:8080

See the storefront-bff README for setup details.

http://localhost:8080

Choosing an environment

Select the right environment for your task.

Pagination

All top-level API resources have support for bulk fetches through "list" API methods. These list API methods share a common structure and accept, at a minimum, the following parameters: limit and offset.

The Storefront BFF uses offset-based pagination through the limit and offset parameters.

Parameters

limitinteger: This specifies a limit on the number of objects to return, ranging between 1 and 100. Default is 20.
offsetinteger: The number of results to skip before returning results. Use this to page through results. Default is 0.

GET /products?limit=20&offset=40

List Response Format

limitintegerrequired: The limit that was applied to this request.
offsetintegerrequired: The offset that was applied to this request.
countintegerrequired: The number of results in this response (may be less than limit on the last page).
totalintegerrequired: The total number of results available across all pages.
resultsarrayrequired: An array containing the actual response elements.

{
  "limit": 20,
  "offset": 40,
  "count": 20,
  "total": 350,
  "results": [
    {
      "id": "prod-12345",
      "name": "Premium Sofa",
      "price": {
        "centAmount": 199900,
        "currencyCode": "AUD"
      }
    }
  ]
}

Pagination example

To paginate through results:

Make an initial request with your desired limit
Check if offset + count < total to determine if more pages exist
Increment offset by limit for the next page
Repeat until you've retrieved all results

# First page
curl "https://storefront.api.templeandwebster.com/products?limit=20&offset=0"

# Second page
curl "https://storefront.api.templeandwebster.com/products?limit=20&offset=20"

# Third page
curl "https://storefront.api.templeandwebster.com/products?limit=20&offset=40"

Best practices

Use reasonable page sizes (20-50 items) for optimal performance
Cache results where appropriate to reduce API calls
Handle the case where total may change between requests (items added/removed)
Consider using filtering to reduce result sets before pagination

Filtering

The Storefront BFF provides several filtering mechanisms for collection endpoints.

Query parameters

Many endpoints expose explicit parameters for common filters:

Boolean flags: inStock, featured, isDefault
Value ranges: minPrice, maxPrice (in cents)
Enumerations: status=active|inactive|discontinued
Identifiers: category, brand, customerId

curl "https://storefront.api.templeandwebster.com/products?category=sofas&status=active&minPrice=50000&maxPrice=200000"

Full-text search

Endpoints with search use the query parameter.

The query is passed to the search system and may support stemming, synonyms, and fuzzy matching.

curl "https://storefront.api.templeandwebster.com/search?query=sofa%20bed"

Structured filters

For complex conditions, use the filter parameter with operators.

Operators

Operator	Description
`[eq]`	Equal (default)
`[ne]`	Not equal
`[gt]`	Greater than
`[gte]`	Greater than or equal
`[lt]`	Less than
`[lte]`	Less than or equal

curl "https://storefront.api.templeandwebster.com/products?filter[status]=active&filter[price[gte]]=5000&filter[price[lte]]=20000"

Filter examples

Combine multiple filter parameters in a single request.

# Active products between $50 and $200
GET /products?filter[status]=active&filter[price[gte]]=5000&filter[price[lte]]=20000

# Orders created after a date
GET /orders?filter[createdAt[gte]]=2025-01-01T00:00:00Z

Locale filtering

Content endpoints support a locale parameter.

Pattern: ^[a-z]{2}-[A-Z]{2}$ (e.g., en-AU). Default: en-AU.

curl "https://storefront.api.templeandwebster.com/content/footer?locale=en-AU"

Error handling

Invalid filters return 400 Bad Request with details about the invalid parameter.

{
  "status": 400,
  "message": "Invalid filter parameter",
  "code": "INVALID_FILTER",
  "errors": [
    {
      "field": "filter[price[gte]]",
      "code": "INVALID_VALUE",
      "message": "Expected a numeric value"
    }
  ]
}

Headers

Standard HTTP headers used by the Storefront BFF.

Request headers

Headers to include with your API requests.

Required Headers

Header	Required	Description
`Content-Type`	Yes (with body)	Must be `application/json`
`Accept`	Recommended	Should be `application/json`
`X-BFF-Token`	Customer endpoints	Customer session JWT
`Authorization`	S2S endpoints	`Bearer <gcp-identity-token>`
`X-Api-Version`	Yes	API version (e.g., `v1.0`)
`Correlation-Id`	Recommended	UUID for request tracing

Content-Type

Required for any request with a body.

If missing or incorrect, returns 415 Unsupported Media Type.

Content-Type: application/json

X-BFF-Token

Customer session token from the login flow.

Required for customer endpoints (cart, orders, profile). See Authentication.

X-BFF-Token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...

Authorization

Google Cloud identity token for service-to-service calls.

Used by internal services and batch jobs.

Authorization: Bearer ya29.c.Kp8B...

X-Api-Version

Selects the resource schema version.

Pattern: v{major}.{minor}. Required on requests, echoed in responses.

X-Api-Version: v1.0

Correlation-Id

UUID for correlating logs and traces across services.

Optional. If not provided, the BFF generates one. Reuse the same ID for related requests in a single user flow (e.g., checkout).

Correlation-Id: 550e8400-e29b-41d4-a716-446655440000

Response headers

Headers returned in API responses.

Sorting

Collection endpoints support sorting via the sort query parameter.

Syntax

Direction must be asc (ascending) or desc (descending).

sort={field}:{direction}

Examples

Sort by a single field with ascending or descending direction.

# Sort by name ascending
curl "https://storefront.api.templeandwebster.com/products?sort=name:asc"

# Sort by creation date descending
curl "https://storefront.api.templeandwebster.com/orders?sort=createdAt:desc"

Multi-field sorting

Repeat the sort parameter for multiple fields.

Sort is applied in parameter order:

Featured products first
Then by popularity
Then alphabetically by name

curl "https://storefront.api.templeandwebster.com/products?\
sort=featured:desc&\
sort=popularity:desc&\
sort=name:asc"

Common sort fields

Available fields vary by endpoint.

Error handling

Unsupported sort fields return 400 Bad Request.

{
  "status": 400,
  "message": "Unsupported sort field",
  "code": "INVALID_SORT_FIELD",
  "errors": [
    {
      "field": "sort",
      "code": "UNSUPPORTED",
      "message": "The sort field 'foo' is not supported"
    }
  ]
}

With pagination

Sorting is applied before pagination. Always use the same sort parameters when paginating to maintain stable ordering.

curl "https://storefront.api.templeandwebster.com/products?\
sort=price:asc&\
limit=20&\
offset=20"

Versioning

The Storefront BFF uses resource versioning to evolve endpoints while preserving client compatibility.

Version format

Versions follow vMAJOR.MINOR (e.g., v1.0, v1.1).

X-Api-Version header

Specify the desired version using the X-Api-Version request header.

The response echoes the version used.

curl -H "X-Api-Version: v1.0" \
  https://storefront.api.templeandwebster.com/products

Compatibility

The API maintains backward compatibility within a major version.

Non-breaking changes

Non-breaking changes do not require a new API version and may be deployed at any time.

{
  "id": "prod-123",
  "name": "Modern Sofa",
  "price": 1999,
  "newField": "added without breaking"
}

Sunset policy

When a major version is deprecated:

At least 6 months notice is provided
Migration guides are published
Sunset dates are communicated via release notes

Continue using the latest stable version to minimize migration effort.

Best practices

Always send X-Api-Version to ensure consistent behaviour
Ignore unknown fields in responses (forward compatibility)
Subscribe to release notes for deprecation notices
Test against staging before upgrading in production

Idempotency

The API supports idempotency for safely retrying requests without performing the same operation twice.

HTTP method semantics

Understand which methods are safe to retry.

Safe to retry

These operations can be retried on network failures or 5xx errors:

GET, HEAD, OPTIONS - always safe
PUT, DELETE - idempotent by design
POST - only where explicitly documented

Good: state-setting

Prefer state-setting operations over action-style operations.

The client sends the desired state. Retries produce the same outcome.

PUT /carts/{cartId}
Content-Type: application/json

{
  "discountCode": "WELCOME10"
}

Risky: action-style

Action endpoints are harder to make safe. Prefer state-setting alternatives.

# Action-style (harder to make safe)
POST /orders/{orderId}/cancel

# Better: state-setting alternative
PUT /orders/{orderId}
Content-Type: application/json

{
  "status": "CANCELLED"
}

Idempotent actions

When actions are necessary, implement them to be retry-safe:

Server behaviour:

If confirmable, confirm and return the result
If already confirmed, return the same result (not an error)
If in an incompatible state, return 4xx

POST /checkout/{sessionId}/confirm

Idempotency keys

The API does not currently require explicit idempotency keys. If introduced in future, they will:

Use an Idempotency-Key header
Be scoped to method, path, and principal
Store and replay original responses for matching requests

Retry guidance

When to retry a request.

Retry Scenarios

Scenario	Safe to retry?
Network timeout	Yes for idempotent methods
`5xx` response	Yes with exponential backoff
`4xx` response	No - client error, fix the request
Non-idempotent `POST`	Only if documented as safe

Rate Limits

The API applies rate limiting to protect downstream systems and ensure consistent performance.

429 Too Many Requests

When you exceed a rate limit, the API returns a 429 status code.

{
  "status": 429,
  "message": "Too many requests, please try again later",
  "code": "RATE_LIMIT_EXCEEDED"
}

Retry-After header

The response may include a Retry-After header indicating how many seconds to wait before retrying.

HTTP/1.1 429 Too Many Requests
Retry-After: 5
Content-Type: application/json

Limit scopes

Rate limits may be applied by:

IP address - protects against abusive traffic
Customer session - prevents UI loops
Service account - for server-to-server integrations
Endpoint - expensive operations (e.g., search) may have stricter limits

Exact thresholds are environment-specific and may change without notice.

Browser clients

Debounce search and autocomplete requests
Cache static data lookups
On 429, wait per Retry-After and show a friendly message
Don't retry aggressively

Server clients

Implement exponential backoff with jitter: 1s, 2s, 4s, 8s (capped)
Reuse HTTP clients with connection pooling
Stagger retries after outages to avoid thundering herd

Example backoff

Implement exponential backoff with jitter for production clients.

async function fetchWithRetry(url: string, options: RequestInit, maxRetries = 3) {
  for (let attempt = 0; attempt <= maxRetries; attempt++) {
    const response = await fetch(url, options);

    if (response.status === 429) {
      const retryAfter = response.headers.get('Retry-After') || '1';
      const baseDelay = Math.pow(2, attempt) * 1000;
      const delay = Math.min(baseDelay, 30000);
      const jitter = Math.random() * 1000;

      await sleep(Math.max(parseInt(retryAfter) * 1000, delay) + jitter);
      continue;
    }

    return response;
  }

  throw new Error('Max retries exceeded');
}

function sleep(ms: number) {
  return new Promise((resolve) => setTimeout(resolve, ms));
}

Non-production environments

Rate limits in development and staging may be less strict but can still apply to expensive endpoints like search.

Design your clients to handle 429 gracefully in all environments.

Task	Environment
Building a feature	Local, then Development
Cross-team integration	Development, then Staging
Preparing a release	Staging
Investigating issues	Staging or Development first

Endpoint	Typical fields
`GET /products`	`name`, `price`, `createdAt`, `popularity`, `featured`
`GET /orders`	`createdAt`, `status`, `totalAmount`
`GET /categories`	`name`, `position`

Scheme	Header	Format	Used for
`BFFToken`	`X-BFF-Token`	JWT	Customer sessions
`BearerAuth`	`Authorization`	JWT	Service-to-service

Header	Required	Description
`X-BFF-Token`	Customer flows	Customer session JWT
`Authorization`	S2S calls	GCP identity token
`Correlation-Id`	Recommended	Request tracing ID (UUID)

Method	Use	Idempotent
`GET`	Read a resource or collection	Yes
`POST`	Create or perform an action	No
`PUT`	Replace or set resource state	Yes
`DELETE`	Remove a resource	Yes

Header	Description
`Content-Type`	`application/json`
`X-Api-Version`	Version used for this response
`Correlation-Id`	Request correlation ID

Change Type	Breaking?	New Version?
Remove field	Yes	Yes
Change field type	Yes	Yes
Change field semantics	Yes	Yes
Add optional field	No	No
Add new endpoint	No	No
Add parameter + default	No	No

Method	Idempotent	Notes
`GET`	Yes	No side effects
`HEAD`	Yes	No side effects
`PUT`	Yes	Sets resource state
`DELETE`	Yes	Removes resource
`POST`	No	May create duplicates without care