Use the Bolt API to create orders, authorize payments, manage shopper accounts, and receive webhooks. Your server makes outbound REST calls to Bolt; Bolt makes inbound callbacks to your server for cart, shipping, and tax.
Prerequisites
Get credentials
Copy these values from Administration → API in your dashboard:
| Key | Use |
|---|
| API key | Server-side outbound API calls (X-API-Key header) |
| Signing secret | Verify inbound webhooks and Merchant Callback requests |
| Publishable key | Client-side SDK initialization (checkout modal, Connect, embeddable components) |
Sandbox and production each have separate keys. See API keys for dashboard screenshots and key rotation.
Store credentials in environment variables. Never commit keys to source control.
BOLT_ENV=sandbox
BOLT_API_BASE_URL=https://api-sandbox.bolt.com
BOLT_API_KEY=your_sandbox_api_key
BOLT_SIGNING_SECRET=your_sandbox_signing_secret
BOLT_PUBLISHABLE_KEY=your_sandbox_publishable_key
For production, set BOLT_ENV=production and BOLT_API_BASE_URL=https://api.bolt.com with production keys.
BOLT_ENV=sandbox
BOLT_API_BASE_URL=https://api-sandbox.bolt.com
BOLT_API_KEY=your_sandbox_api_key
BOLT_SIGNING_SECRET=your_sandbox_signing_secret
BOLT_PUBLISHABLE_KEY=your_sandbox_publishable_key
Never use sandbox keys against api.bolt.com or production keys against api-sandbox.bolt.com. Mismatched credentials return 401 errors.
See Environments for CDN URLs, divisions, and approved domains.
Make your first request
List recent transactions in sandbox to confirm your API key and base URL are correct.
curl "https://api-sandbox.bolt.com/v1/merchant/transactions" \
-H "X-API-Key: YOUR_API_KEY" \
-H "Content-Type: application/json"
Expected result: HTTP 200 with a JSON response. If you receive 401, confirm you are using the API key (not the publishable key) and the matching sandbox base URL.
See Authentication for inbound HMAC verification, OAuth, and required headers.
How the docs are organized
| Section | What it covers |
|---|
| Integration guides | Use-case entry points: checkout, Connect, subscriptions, gaming |
| Merchant Callback | Endpoints Bolt calls on your server (cart, shipping, tax) |
| Endpoints | Outbound REST resources: orders, transactions, accounts, webhooks |
Response codes
| Status | Meaning |
|---|
200 | Success |
400 | Invalid parameters |
401 | Missing or invalid API key |
403 | Forbidden: check signing or permissions |
404 | Resource not found |
422 | Validation error |
429 | Rate limited |
5xx | Bolt server error |
See Errors for Bolt-specific error codes.