Every request requires X-Merchant-Id. The second auth header depends on the call context:
| Header | Required for | Notes |
|---|
X-Merchant-Id | All requests | Your merchant identifier. |
Origin | Browser / widget calls | Must match a whitelisted domain. |
X-API-Key | Server-to-server calls | Replaces Origin. Prefix: tr_. |
Authorization | Admin endpoints | Format: Bearer <admin auth token>. |
X-Webhook-Signature | Order Complete webhook | HMAC-SHA256 of raw request body. |
Keep X-API-Key server-side only. It grants full write access. Use Origin validation for browser embeds — never expose the key in client-side code.
Server-to-server example
const baseUrl = process.env.RF_BASE_URL || 'https://cdn.tailoredd.com/apiV2';
const headers = {
'X-Merchant-Id': process.env.RF_MERCHANT_ID,
'X-API-Key': process.env.RF_API_KEY,
'Content-Type': 'application/json',
};
const res = await fetch(`${baseUrl}/products/${productId}/reviews`, {
headers
});
const { data } = await res.json();
const res = await fetch(`${BASE_URL}/products/${productId}/reviews`, {
headers: {
'X-Merchant-Id': MERCHANT_ID,
'Origin': location.origin,
}
});
Admin endpoints
Admin endpoints require an additional Authorization header with your admin auth token:
Authorization: Bearer <admin auth token>
