Developer Portal Overview
Developer Portal Overview
The current SeloraX "developer portal" is not a separate public REST service. It is the dashboard-facing app management surface exposed by the main backend and used by the SeloraX admin app.
These routes let merchants, internal teams, and app developers:
- create and manage app registry records
- submit apps for review and approve/reject listings
- install or uninstall apps on a store
- generate iframe embed parameters and refresh embedded session tokens
- manage merchant-owned webhook subscriptions and inspect delivery logs
- approve, decline, cancel, and complete app billing flows
Important Distinction
There are two API families in the platform:
-
Dashboard-facing app management APIs Used by the SeloraX admin dashboard with merchant/admin authentication. Examples:
/api/apps/api/apps/installations/api/apps/session/api/apps/webhooks/api/apps/billing
-
App-facing runtime APIs Used by installed apps with Bearer access tokens or client credentials. Examples:
/api/apps/v1/orders/api/apps/v1/products/api/apps/v1/billing/api/apps/v1/webhooks
This section documents the dashboard-facing side. For runtime APIs, use the API Reference.
Authentication Model
These routes are protected by the dashboard auth stack, not by a separate developer access token.
Typical requirements are:
- authenticated admin session (
auth) - store-admin role checks (
admin) - store ownership validation (
storeOwnership) where a store is involved - feature permissions such as
apps__manage_apps,apps__install_apps, orapps__view_webhooks
In practice, these routes are usually called from the SeloraX dashboard frontend rather than from third-party public clients.
Endpoint Groups
App registry and review
GET /api/appsGET /api/apps/marketplaceGET /api/apps/developmentGET /api/apps/reviewGET /api/apps/:app_idPOST /api/appsPUT /api/apps/:app_idDELETE /api/apps/:app_idPOST /api/apps/:app_id/submit-for-reviewPOST /api/apps/:app_id/reviewPOST /api/apps/:app_id/rotate-secretPOST /api/apps/:app_id/generate-signing-keyGET /api/apps/scopes
See Apps API.
Installations and embedded sessions
POST /api/apps/installations/direct-installGET /api/apps/installationsPOST /api/apps/installations/:installation_id/uninstallGET /api/apps/session/embed-paramsPOST /api/apps/session/session-tokenPOST /api/apps/session/verify
These routes bridge the dashboard and embedded apps. The session routes are especially important for iframe loading and short-lived JWT refresh.
Merchant webhook management
GET /api/apps/webhooks/subscriptionsPOST /api/apps/webhooks/subscriptionsPUT /api/apps/webhooks/subscriptions/:idDELETE /api/apps/webhooks/subscriptions/:idPUT /api/apps/webhooks/subscriptions/:id/togglePUT /api/apps/webhooks/subscriptions/batchDELETE /api/apps/webhooks/subscriptions/batchPUT /api/apps/webhooks/subscriptions/batch/toggleGET /api/apps/webhooks/deliveriesPOST /api/apps/webhooks/deliveries/:delivery_id/retry
See Webhooks API.
Merchant-facing app billing
GET /api/apps/billing/charges/:idPOST /api/apps/billing/charges/:id/approvePOST /api/apps/billing/charges/:id/declinePOST /api/apps/billing/charges/:id/cancelGET /api/apps/billing/callbackGET /api/apps/billing/history
These are the approval and completion routes used after an app creates charges through the runtime Billing API.
When To Use Which Docs
- If you are building an app backend that calls SeloraX with app credentials, start with API Overview.
- If you are building an embedded app iframe, read Session Tokens and Session Token Flow.
- If you are working on dashboard-side app lifecycle screens, use this Developer Portal section.
Current State
This section reflects the app platform that exists in the main SeloraX backend today. Older references to a separate portal.selorax.io/api/v1 surface are obsolete for the current implementation.