commerce-api (GraphQL + storefront + agentic)
Commerce exposes an authenticated product GraphQL API, authenticated import/product REST routes, storefront REST, and signed agentic-commerce protocols.
Runtime
| Property | Current contract |
|---|---|
| Production API origin | https://api.commerce.inblack.app |
| GraphQL | POST /graphql |
| Product REST | /api/v1/* |
| Storefront REST | /storefront/v1/* |
| Agentic commerce | /agentic/ucp/{brand_id}/* and /agentic/acp/{brand_id}/* |
| GraphQL operations | 348: 134 queries, 211 mutations, 3 subscriptions |
| HTTP registrations | 159 total; 115 storefront/partner routes and 24 authenticated product routes |
commerce.inblack.app is the Commerce SPA origin. Source-backed agentic profile examples may use it as a public protocol host, but admin API clients should use the deployed API origin supplied by configuration.
GraphQL example
curl https://api.commerce.inblack.app/graphql \ -H "Authorization: Bearer <token>" \ -H "X-Tenant-ID: <tenant-id>" \ -H "Content-Type: application/json" \ -d '{"query":"{ products(limit: 5) { products { id sku name status } pageInfo { totalCount hasMore } } }"}'The schema covers catalog, collections, categories, inventory, orders, pricing, bulk actions, customers, B2B, marketing, reports, billing, and tenant settings. See the GraphQL operation reference.
Storefront and partner routes
The generated HTTP route reference is canonical for registered methods and paths. It includes:
- Storefront catalog, search, cart, checkout, customer account, forms, content, redirects, reviews, returns, and recommendations under
/storefront/v1. - UCP offers, carts, checkout sessions, orders, and MCP under
/agentic/ucp/{brand_id}. - ACP checkout sessions under
/agentic/acp/{brand_id}. - Shopify installation/callback and provider webhook registrations.
Authentication differs by surface. Storefront SDK keys, customer tokens, channel OAuth, and signed UCP/ACP scope are not interchangeable with admin bearer credentials. Follow the dedicated storefront or agentic-commerce guide for the selected route.
Agent boundary
Storefront and signed shopping-agent protocols call their HTTP surfaces directly. Administrative agents default to Commerce MCP tools. Destructive public MCP actions remain blocked even when an administrative GraphQL mutation or provider callback exists.