# VACKRON API

Base URL: `/app_api`

All responses use:

```json
{"success":true,"message":"OK","data":{}}
```

Send customer/admin tokens as `Authorization: Bearer {token}`.

## Public And Mobile

- `GET /health`
- `GET /home`
- `GET /categories`
- `GET /collections`
- `GET /banners`
- `GET /products`
- `GET /products/{slug}`
- `POST /auth/register`
- `POST /auth/login`
- `POST /auth/request-otp`
- `POST /auth/verify-otp`
- `POST /auth/forgot-password`
- `POST /auth/reset-password`

## Customer

- `GET /profile`
- `PUT /profile`
- `GET /addresses`
- `POST /addresses`
- `GET /cart`
- `POST /cart`
- `DELETE /cart/{cart_id}`
- `GET /wishlist`
- `POST /wishlist`
- `DELETE /wishlist/{product_id}`
- `POST /coupons/apply`
- `GET /orders`
- `GET /orders/{id}`
- `POST /orders`
- `POST /checkout/shiprocket-token`
- `POST /reviews`

## Shiprocket Checkout

- `GET /shiprocket/products`
- `GET /shiprocket/collections`
- `GET /shiprocket/collections/{id}/products`
- `POST /shiprocket/product-webhook`
- `POST /shiprocket/collection-webhook`
- `POST /shiprocket/access-token`
- `POST /shiprocket/order-webhook`
- `GET /shiprocket/orders/{id_or_order_number}`

Outbound Shiprocket calls are signed with HMAC SHA256 using:

```text
METHOD + "\n" + PATH + "\n" + UNIX_TIMESTAMP + "\n" + JSON_BODY
```

The API sends `x-api-key`, `x-timestamp`, and `x-signature` headers and stores all Shiprocket traffic in `shiprocket_logs`.

## Admin

- `POST /admin/login`
- `GET /admin/dashboard`
- `GET /admin/products`
- `GET /admin/categories`
- `GET /admin/inventory`
- `GET /admin/orders`
- `GET /admin/coupons`
- `GET /admin/customers`
- `GET /admin/notifications`
- `GET /admin/banners`
- `GET /admin/settings`
- `GET /admin/api-logs`
- `GET /admin/otp-logs`
- `GET /admin/shiprocket-logs`
- `POST /admin/products`
- `POST /admin/categories`
- `POST /admin/inventory`
- `POST /admin/orders`
- `POST /admin/coupons`