This page lists the REST calls Bolt’s backend issues against your Magento 2 store, in the order a typical checkout flows through them. All paths are relative to your store’s REST root (e.g. https://example.com/rest/V1/...).

Endpoints prefixed with /V1/bolt/boltpay/... are exposed by the Bolt for Adobe Commerce plugin — see Custom Endpoints for the full catalog. Every other path is a standard Magento REST endpoint.

Authentication is the same for every call: an OAuth Bearer token established during plugin setup. See Authentication.

1. Open Checkout — Load Cart

When the shopper opens Bolt Checkout, Bolt fetches a current snapshot of the cart, totals, items, and the products in the cart.

2. Enter Shipping Address — Estimate Shipping & Tax

When the shopper enters or changes their shipping address, Bolt requests shipping options and a tax estimate.

3. Select Shipping Method — Commit Choice

Selecting a shipping method commits it to the quote and recomputes totals.

4. Apply / Remove Discount

Discount validation goes through Magento’s native rules engine; Bolt does not mirror cart rules.

If your store uses a third-party multi-coupon or gift card module, additional endpoints may be involved; see Custom Endpoints.

5. Add / Update / Remove Cart Items

Bolt-modal item actions are written back to Magento.

6. Submit Order

Order placement diverges based on whether the shopper is logged in. Both paths return the created order ID.

The logged-in path is a custom Bolt plugin endpoint; it wraps carts/mine/payment-information to apply the Bolt payment method and persist transaction metadata in a single round trip.

After the order is created Bolt may issue follow-up calls to enrich the record:

Roll back on failure. If post-creation steps fail (payment declined, fraud rejection, enrichment error), Bolt rolls the Magento order back via DELETE /V1/bolt/boltpay/orders/{orderId} (plugin-created, non-finalized orders only) or POST /V1/orders/{orderId}/cancel for webhook-driven post-authorization cancellation.

7. Post-Order Lifecycle (Transaction Webhooks)

After the order is placed, the lifecycle is driven by transaction events Bolt receives from its payment processor (Worldline, Stripe, Adyen, etc.) and from actions taken in the Bolt Merchant Dashboard. For each event, Bolt’s merchantproxy fires a sequence of REST calls to your Magento store to keep state in sync.

The table below maps each transaction event to the exact Magento REST calls Bolt issues.

After every event Bolt also persists the Bolt transaction reference on the Magento order via POST /V1/bolt/boltpay/transactions (Bolt transaction ID, processor metadata, amount). Plugin-internal helpers POST /V1/bolt/boltpay/order/{orderId}/triggerOrderEvents (replay) and GET /V1/bolt/boltpay/defaultOrderStatuses (status mapping) are used as needed.

Total mismatch. Before processing any post-order event Bolt verifies the order total against the amount in the webhook. If the difference is within the merchant’s configured allowed mismatch, processing continues; otherwise the webhook is rejected and surfaced as an alert in the dashboard.

See Webhooks for setup, signature verification, and failure handling, and Custom Endpoints — Cart & Order for the full /V1/bolt/boltpay/... catalog.

8. Magento Admin → Bolt API Calls

The Bolt for Adobe Commerce plugin also makes outbound calls from Magento to Bolt when an operations user performs an action directly in Magento Admin (rather than in the Bolt Merchant Dashboard). The plugin uses Bolt’s public Transactions API; host is https://api.bolt.com (production) or the corresponding sandbox / staging host.

These calls are signed with the merchant’s Bolt API Key (configured in the plugin admin during setup — see Bolt API Credentials). This is a different credential from the Magento OAuth token Bolt uses for the inbound direction documented in Authentication — Bolt → Magento and Magento → Bolt are two independent credentials, configured at the same time during plugin install.