API REFERENCE

Nuvi REST API

REST endpoints for the entire Nuvi platform — Medusa v2 commerce surface, Nuvi extensions for every module (blog, pages, forms, media, search, brand, themes, localization, currency, metafields, redirects, events, travel, subscriptions, quotes, email marketing, tracking, cookie consent), social login (Google, Apple, Facebook, GitHub, Microsoft), and the AI assistant — powered by your own model key (OpenAI, Gemini, DeepL, ElevenLabs) or pay-as-you-go credits — with 24 skills exposed via /admin/ai/* and /v1/*.

Base URLhttps://usenuvi.com/api

Authentication

Storefront calls authenticate with a publishable API key (header `x-publishable-api-key`). Customer-scoped calls add a JWT bearer issued by the Medusa v2 auth endpoints. Admin calls require an admin JWT.

POST/auth/customer/emailpass

Issue a customer JWT from email + password

Example request
curl -X POST https://usenuvi.com/api/auth/customer/emailpass \
  -H "x-publishable-api-key: pk_live_..." \
  -H "Content-Type: application/json" \
  -d '{"email":"[email protected]","password":"••••"}'
POST/auth/customer/emailpass/register

Register a new customer

DELETE/auth/session

Invalidate the current session

Social Login

Per-tenant OAuth 2.0 / OpenID Connect for Google, Apple, Facebook, GitHub, and Microsoft. The storefront kicks off the flow by redirecting to `/auth/social/{provider}/start`; the provider returns to `/auth/social/{provider}/callback` and the customer JWT is set on the storefront cookie. Apple uses `response_mode=form_post` (POST callback). State + PKCE are persisted in Redis with a 10-minute TTL.

GET/store/auth/social/:provider/start

Begin an OAuth flow — returns `{ authorization_url }`

Example request
curl "https://usenuvi.com/api/store/auth/social/google/start?return_to=/account" \
  -H "x-publishable-api-key: pk_live_..."
GET/store/auth/social/:provider/callback

Exchange code + state → `{ token, customer_id, is_new_link, return_to }`. Set the token as `nuvi_customer_token` cookie on your storefront.

POST/store/auth/social/apple/callback

Apple form_post variant — same response shape, body is `application/x-www-form-urlencoded`

GET/store/auth/social/linked-accounts

List the authenticated customer's connected providers (avatar, email, last_login_at). Requires customer JWT.

DELETE/store/auth/social/linked-accounts/:id

Unlink a single provider. Linked-account records are scoped per-customer; cross-customer access returns 404.

Products

Standard Medusa v2 product endpoints. Variants, prices, and inventory return inline. Use the dedicated /store/search endpoint for full-text search powered by MeiliSearch.

GET/store/products

List products with filters (collection, category, region, price range)

Example request
curl "https://usenuvi.com/api/store/products?limit=20&offset=0" \
  -H "x-publishable-api-key: pk_live_..."
GET/store/products/:id

Retrieve a single product by id or handle

GET/store/product-templates

List product templates for the admin product editor

GET/store/collections

List product collections (Medusa default)

GET/store/categories

List product categories (Medusa default)

GET/store/products/:product_id/reviews

List approved reviews for a product (paginated, sorted)

POST/store/products/:product_id/reviews

Submit a new review (status: pending until moderated)

Carts & Checkout

Standard Medusa cart endpoints plus Nuvi extensions for event tickets and tour bookings. Payment sessions are created against your Stripe / Iyzico accounts.

POST/store/carts

Create an empty cart

POST/store/carts/:id/line-items

Add a product line item

POST/store/carts/:id/event-items

Add an event ticket as a line item (Nuvi)

DELETE/store/carts/:id/event-items/:lineItemId

Remove an event ticket line item

POST/store/carts/:id/tour-items

Add a tour booking line item (Nuvi)

DELETE/store/carts/:id/tour-items/:lineItemId

Remove a tour line item

POST/store/carts/:id/payment-sessions

Create payment sessions for available providers

POST/store/carts/:id/complete

Convert the cart to an order

Example request
curl -X POST https://usenuvi.com/api/store/carts/cart_01.../complete \
  -H "x-publishable-api-key: pk_live_..."
GET/store/checkout-config

Active checkout configuration: enabled fields, payment providers, shipping options

GET/store/payment-config

Per-region payment provider configuration

GET/store/bank-info

Bank-transfer payment instructions for the storefront

Orders

Standard Medusa order endpoints plus a customer-side cancel route.

GET/store/orders/me

List orders for the authenticated customer

GET/store/orders/:id

Retrieve a single order by id

POST/store/orders/:id/cancel

Cancel an order (within the cancellation window)

Customers

Standard Medusa customer endpoints. The authenticated customer can manage their own profile and addresses.

GET/store/customers/me

Get current customer profile

POST/store/customers/me

Update profile fields

POST/store/customers/me/addresses

Add a shipping address

Subscriptions (recurring)

Subscription module endpoints — list available plans, create / manage a customer subscription, and run lifecycle actions (pause, resume, change plan, cancel).

GET/store/subscription-plans

List available subscription plans

GET/store/subscriptions

List the authenticated customer's subscriptions

POST/store/subscriptions

Create a new subscription

GET/store/subscriptions/:id

Retrieve a subscription

POST/store/subscriptions/checkout

Start a subscription checkout (creates the payment session)

POST/store/subscriptions/:id/pause

Pause an active subscription

POST/store/subscriptions/:id/resume

Resume a paused subscription

POST/store/subscriptions/:id/change-plan

Switch to a different plan (prorated)

POST/store/subscriptions/:id/cancel

Cancel a subscription

Quotes (B2B)

Customer-side endpoints for the Quote module — submit ISG / B2B quote requests, browse the public quote catalogue, and download generated PDFs.

POST/store/quote-requests

Submit a quote request with line items + custom fields

GET/store/quote-requests/:quote_number/pdf

Download the generated quote PDF

GET/store/quote-requests/isg-config

Public ISG pricing configuration (services, base rates, location modifiers)

GET/store/quote-services

List quotable services for the dropdown selector

Blog

Public blog content from the page module. Locale-aware, drafts and scheduled posts filtered out automatically.

GET/store/blog-posts

List published posts (locale-aware)

GET/store/blog-posts/:slug

Retrieve post body + sanitized HTML

GET/store/blog-posts/:slug/comments

List comments on a post

POST/store/blog-posts/:slug/comments

Submit a new comment (moderated)

GET/store/blog-categories

List categories with post counts

GET/store/blog-categories/:slug

Retrieve a single category and its posts

GET/store/blog-tags

List tags with post counts

GET/store/blog-tags/:slug

Retrieve a single tag and its posts

GET/store/blog-authors/:id

Author profile with their published posts

Pages

Static CMS pages with SEO meta. Render-ready HTML body included.

GET/store/pages

List all published pages

GET/store/pages/:slug

Retrieve a static page by slug

Forms

Public form definitions and submission endpoint. Forms are configured in the admin and can be embedded anywhere.

GET/store/forms/:slug

Retrieve a form definition (fields, validation, redirects)

GET/store/forms/popup

Retrieve the active popup form (if any)

POST/store/form-submissions

Submit a form (with optional spam token + reCAPTCHA)

Media

Public read-only access to media assets — used by the storefront to render images with metadata.

GET/store/media/:id

Retrieve a single asset by ID (URL, dimensions, alt text)

Email Marketing

List subscriptions, unsubscribe flows, and the public mailbox preview endpoint used by the customer portal.

POST/store/email-subscribe

Subscribe an email to a list (with optional double opt-in)

GET/store/email-unsubscribe

Unsubscribe by token (one-click link)

POST/store/email-unsubscribe

Confirm unsubscribe and capture reason

POST/store/newsletter

Newsletter sign-up (homepage / footer widgets)

Tracking pixels

Email open + click tracking endpoints, plus a generic event ingest. Open tracker returns a 1×1 GIF; click tracker 302-redirects to the destination.

GET/store/track/open/:campaignId/:subscriberId

Pixel-track an email open

GET/store/track/click/:campaignId/:subscriberId

Click-tracking redirect

POST/store/track/events

Generic analytics event ingest (page_view, add_to_cart, …)

Themes & Menus

Read-only access to the active theme config, section definitions, and resolved menus — used by the storefront to render dynamic pages.

GET/store/theme

Active theme: tokens, sections, settings

GET/store/menus/:handle

Resolved menu items for a handle (main-menu, footer-menu, …)

Brand

Brand identity (logo, colors, typography, social links, contact info) used by themes to keep visuals consistent across pages.

GET/store/brand

Resolved brand settings for the active store

Localization

Available locales for the active store and field-level translation overrides.

GET/store/locales

List enabled locales with default + RTL flag

GET/store/translations

Bulk-fetch translation overrides for a resource type

Currency

Live FX rates served to the storefront. Sources include manual overrides, ECB, and Frankfurter (auto-failover).

GET/store/currency-rates

Active rates per configured currency pair

GET/store/exchange-rates

Raw exchange-rate snapshot (with `base` query param)

Metafields

Shopify-style typed custom fields, attachable to products, orders, customers, and any custom resource.

GET/store/metafields/:resource_type/:resource_id

List metafields attached to a specific resource

Redirects

Active 301 / 302 redirects served to the storefront edge. Used by the storefront middleware to honor migration mappings.

GET/store/redirects

List all active redirects (source, target, status code)

Events

Public event endpoints — list events, drill into a single event, list available tickets, and look up the customer's registrations.

GET/store/events

List published events (locale + region aware)

GET/store/events/:slug

Retrieve a single event with schedule + speakers

GET/store/events/:slug/tickets

List ticket variants and remaining inventory

GET/store/events/my-registrations

Authenticated customer's registered events

Travel — tours & destinations

Travel module endpoints — list tours, destinations, categories, and submit / read tour reviews.

GET/store/tours

List published tours with filter (destination, duration, price)

GET/store/tours/:slug

Retrieve a single tour with itinerary + departures

GET/store/tours/:slug/reviews

List approved reviews for a tour

POST/store/tours/:slug/reviews

Submit a new review (moderated)

GET/store/destinations

List travel destinations

GET/store/destinations/:slug

Retrieve a single destination with related tours

GET/store/tour-categories

List tour categories

Service Bookings

Generic booking endpoint for service-based businesses — appointment, consultation, workshop slots.

GET/store/service-bookings

List bookable slots for a service

POST/store/service-bookings

Create a new booking

AI Assistant

Connect powerful AI models — bring your own OpenAI, Gemini, DeepL, or ElevenLabs key, or use pay-as-you-go credits. The assistant ships with 24 capability packs (skills) — store setup, e-commerce editor, theme editor, marketing manager, SEO auditor, image creator, and more. The full skill catalogue is at /ai-skills. Three integration paths: (1) admin-authenticated proxies under /admin/ai/* for in-product AI features, (2) direct nuvi-agent API at /v1/* for server-to-server work (Bearer NUVI_AGENT_API_KEY, never expose to a browser), (3) a real-time streaming variant via SSE for multi-action approval flows.

POST/admin/ai/chat

Single-turn chat — pass message + sessionId, get a response. Auto-detects intent and runs the right skill.

Example request
curl -X POST https://usenuvi.com/api/admin/ai/chat \
  -H "Authorization: Bearer <admin_jwt>" \
  -H "Content-Type: application/json" \
  -d '{"message":"Bu hafta hangi ürünler en çok satıldı?","session_id":"sess_..."}'
POST/admin/ai/chat/stream

SSE streaming chat — emits incremental tokens, plus action-plan events that the client must approve or reject before execution

POST/admin/ai/chat/stream/:streamId/approve

Approve a pending multi-action plan (proceeds to execute)

POST/admin/ai/chat/stream/:streamId/reject

Reject a pending plan (skips execution, no side effects)

GET/admin/ai/skills

List the 24 available skills with category, examples, and icon name

GET/admin/ai/skills-config

Per-store skill enablement (which skills the operator has turned on for this tenant)

GET/admin/ai/store-context

Store-aware context the assistant uses (catalog size, currencies, locale, configured modules)

POST/admin/ai/translate

One-shot LLM translation — input string + target locale, returns translated string. Used by the admin's 11-locale i18n pipeline.

Example request
curl -X POST https://usenuvi.com/api/admin/ai/translate \
  -H "Authorization: Bearer <admin_jwt>" \
  -H "Content-Type: application/json" \
  -d '{"text":"Save changes","target_locale":"de"}'
POST/admin/ai/voice/blog

Generate AI voiceover for a blog post (audio URL returned when complete)

POST/admin/ai/voice/synthesize-chunk

Synthesize a single chunk on demand (used during incremental editor playback)

POST/admin/ai/marketing/social/draft

AI drafts a social post (caption + hashtags) from a brief

POST/admin/ai/marketing/social/publish

Publish a draft to a connected social account (Facebook, Instagram, ...)

POST/admin/ai/marketing/social/schedule

Schedule a draft for future publish

GET/admin/ai/marketing/metrics/dashboard

Cross-channel campaign metrics (Google Ads, Meta) — spend, impressions, conversions

POST/v1/chat

Direct nuvi-agent chat — Bearer auth with NUVI_AGENT_API_KEY (server-side only)

POST/v1/chat/stream

SSE stream variant — multi-action approval flow events

POST/v1/extract-actions

Extract structured actions from natural language (no execution, plan-only)

GET/v1/skills

List all 24 skills with metadata (id, category, model_tier, icon)

GET/v1/setup-status

Tenant onboarding state — which skills are configured, which need credentials

Webhooks (roadmap)

Outbound event delivery is on the near-term roadmap. Today, subscribe to internal events via the built-in workflow engine. The shape below is the planned signed-payload format — HMAC-SHA256 (header `x-nuvi-signature`).

POSTorder.placed

Fired when a cart converts to an order

POSTorder.payment_captured

Fired when payment is captured

POSTorder.fulfilment_shipped

Fired when fulfilment ships

POSTcustomer.created

Fired on new customer registration

POSTsubscription.renewed

Fired on each successful renewal cycle

POSTquote.submitted

Fired when a customer submits a quote request

Errors

All errors return JSON with `code`, `message`, and `type`. HTTP status follows convention: 400 for validation, 401 for auth, 403 for permission, 404 for not found, 429 for rate-limit, 5xx for server.

Error body
{
  "type": "validation_error",
  "code": "missing_field",
  "message": "Field 'email' is required."
}

Rate limits

Storefront calls: 60 req/sec per IP. Admin calls: 30 req/sec per token. Soft-fail responses include `Retry-After` and `X-RateLimit-Remaining` headers — back off and retry.

Response headers
HTTP/1.1 429 Too Many Requests
X-RateLimit-Limit: 60
X-RateLimit-Remaining: 0
X-RateLimit-Reset: 1714425600
Retry-After: 30

Abuse protection

Public POST endpoints (form submissions, blog comments, quote requests, newsletter sign-up) require an anti-spam token issued by the storefront and pass through reCAPTCHA Enterprise. Calls without a valid token return 403. Never expose your admin JWT to client code — keep it server-side and proxy through your own backend.

Build with the API

Get a publishable API key from the dashboard and start integrating in five minutes. Native SDKs for JS, Python, and PHP coming soon — REST works everywhere today.