Use the Bolt API to create orders, authorize payments, manage shopper accounts, and receive webhooks. Your server makes outbound REST calls to Bolt; Bolt makes inbound callbacks to your server for cart, shipping, and tax.

Prerequisites

Get credentials

Copy these values from Administration → API in your dashboard:
KeyUse
API keyServer-side outbound API calls (X-API-Key header)
Signing secretVerify inbound webhooks and Merchant Callback requests
Publishable keyClient-side SDK initialization (checkout modal, Connect, embeddable components)
Sandbox and production each have separate keys. See API keys for dashboard screenshots and key rotation.

Configure your environment

Store credentials in environment variables. Never commit keys to source control.
BOLT_ENV=sandbox
BOLT_API_BASE_URL=https://api-sandbox.bolt.com
BOLT_API_KEY=your_sandbox_api_key
BOLT_SIGNING_SECRET=your_sandbox_signing_secret
BOLT_PUBLISHABLE_KEY=your_sandbox_publishable_key
For production, set BOLT_ENV=production and BOLT_API_BASE_URL=https://api.bolt.com with production keys.
.env
BOLT_ENV=sandbox
BOLT_API_BASE_URL=https://api-sandbox.bolt.com
BOLT_API_KEY=your_sandbox_api_key
BOLT_SIGNING_SECRET=your_sandbox_signing_secret
BOLT_PUBLISHABLE_KEY=your_sandbox_publishable_key
Never use sandbox keys against api.bolt.com or production keys against api-sandbox.bolt.com. Mismatched credentials return 401 errors.
See Environments for CDN URLs, divisions, and approved domains.

Make your first request

List recent transactions in sandbox to confirm your API key and base URL are correct.
cURL
curl "https://api-sandbox.bolt.com/v1/merchant/transactions" \
  -H "X-API-Key: YOUR_API_KEY" \
  -H "Content-Type: application/json"
Expected result: HTTP 200 with a JSON response. If you receive 401, confirm you are using the API key (not the publishable key) and the matching sandbox base URL. See Authentication for inbound HMAC verification, OAuth, and required headers.

How the docs are organized

SectionWhat it covers
Integration guidesUse-case entry points: checkout, Connect, subscriptions, gaming
Merchant CallbackEndpoints Bolt calls on your server (cart, shipping, tax)
EndpointsOutbound REST resources: orders, transactions, accounts, webhooks

Response codes

StatusMeaning
200Success
400Invalid parameters
401Missing or invalid API key
403Forbidden: check signing or permissions
404Resource not found
422Validation error
429Rate limited
5xxBolt server error
See Errors for Bolt-specific error codes.