All requests made by Bolt to your ecommerce Merchant API will be signed to ensure the authenticity of our requests. Your implementation should always verify the signature to make sure that it’s always Bolt calling your endpoint.
Bolt signs the payload and includes the HMAC signature in the request header X-Bolt-Hmac-Sha256. There are two ways to verify the payload with this signature.
If you are creating orders through the frontend rather than through the pre-auth endpoint, the order creation can be interrupted by a disrupted internet connection during checkout or by a customer’s browser crashing.
To handle orphaned transactions, make sure that the pending transaction hook is capable of converting an existing cart order_reference into an order.
|API Key||Used for calling Bolt API from your backend server|
|Publishable Key||Embedded on your website and used by Bolt to identify your website|
|Signing Secret||Used for signature verification on requests received from bolt|