KARATHEN API MODEL

API Tech Solutions provides scalable and secure API development and integration services to enhance business efficiency.

Developer Primer

General API Field Guide

A practical, architect-level field guide to modern integrations—covering auth models, common workflows, sample requests, and production gotchas.

Carrier • Parcels • Labels • Tracking

UPS API

UPS provides REST endpoints for rating, shipping/labels, pickups, address validation, and tracking. Typical environments include a sandbox and production, with strict validation on addresses, service levels, and packaging.

Auth & Environment

  • Auth: OAuth 2.0 (client credentials) yielding short-lived access tokens.
  • Environments: Sandbox (test) and Production; keep shipper numbers & account IDs separate.
  • Scope: Enable only the products you need (Rate, Ship, Track) to avoid permission errors.

Core Capabilities

  • Rates by service (e.g., Ground, 2nd Day Air), including negotiated rates.
  • Shipment creation with label formats (PDF, ZPL/EPL) and return labels.
  • Tracking lookups (single or batch) with status milestones.
  • Address validation & classification (residential vs. commercial).

Typical Flow

  1. Validate/normalize address.
  2. Get rates (dim weight, declared value, special services).
  3. Create the shipment → receive label + tracking number.
  4. (Optional) Schedule a pickup; store tracking events.

Common Gotchas

  • Dimensional weight rules affect cost—always send accurate dimensions.
  • International shipments require customs docs (HS codes, reason for export).
  • Label format must match your printer (ZPL for thermal, PDF for laser).
  • Residential/commercial misclassification can change rates/surcharges.
🔑
Tip: Cache OAuth tokens and your “shipper number” mapping by environment. Keep a test customer/address you know passes validation to quickly smoke test deployments.

Sample: Get Access Token & Create Shipment

# 1) Token (Client Credentials)
curl -X POST https://{ups-auth-host}/security/v1/oauth/token \
  -u "<client_id>:<client_secret>" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=client_credentials"

# 2) Create Shipment (simplified)
curl -X POST https://{ups-host}/api/shipments/v1/ship \
  -H "Authorization: Bearer <access_token>" \
  -H "Content-Type: application/json" \
  -d '{
    "shipper": {"name":"Karathen API","number":"<shipperNumber>"},
    "shipTo": {"name":"Jane Doe","address":{"line1":"500 Main St","city":"Tampa","state":"FL","postalCode":"33602","country":"US"}},
    "packages": [{"weight":{"unit":"LB","value":3.2},"dimensions":{"unit":"IN","length":12,"width":8,"height":4}}],
    "serviceCode":"03",  // Example: Ground
    "label":{"format":"PDF"}
  }'
Carrier • REST • OAuth2

FedEx API

Modern FedEx APIs expose rating, shipping/labels, tracking, and pickups via OAuth 2.0 with distinct sandbox and production endpoints. Plans and permissions are tied to your FedEx account.

Auth & Setup

  • Auth: OAuth 2.0 client credentials → access token.
  • Account: Ensure shipping services are enabled on the account you’ll bill.
  • Labels: PDF & ZPL/EPL; support for returns and paperless trade where applicable.

Key Endpoints

  • Rates: quote services, add options (signature, Saturday delivery).
  • Ship: create, cancel, and return shipments.
  • Track: detailed scan events, proof-of-delivery where permitted.
  • Pickup: schedule/cancel pickups; cutoff/business days logic.

Sample: Token & Rate Quote

# 1) Access Token
curl -X POST https://{fedex-auth-host}/oauth/token \
  -u "<client_id>:<client_secret>" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=client_credentials"

# 2) Get Rates (simplified)
curl -X POST https://{fedex-host}/rate/v1/rates/quotes \
  -H "Authorization: Bearer <access_token>" \
  -H "Content-Type: application/json" \
  -d '{
    "accountNumber":{"value":"<acct>"},
    "requestedShipment":{
      "shipper":{"address":{"postalCode":"33602","countryCode":"US"}},
      "recipient":{"address":{"postalCode":"90001","countryCode":"US","residential":true}},
      "pickupType":"DROPOFF_AT_FEDEX_LOCATION",
      "requestedPackageLineItems":[{"weight":{"units":"LB","value":3.2}}],
      "serviceType":"FEDEX_GROUND"
    }
  }'
⚠️
Watchouts: dimensional weight, special handling surcharges, and delivery area surcharges can change totals—mirror FedEx’s business rules in your UI to avoid surprises at checkout.
Postal • Web Tools • XML/REST

USPS API

USPS “Web Tools” have long provided XML-based endpoints for domestic/international rate quotes, tracking, and address verification. Full label creation usually goes through approved programs (e.g., eVS) or PC-Postage partners rather than the public Web Tools.

Auth & Access

  • Credential: Web Tools USERID (and sometimes password) assigned per account.
  • Usage: Legacy XML over HTTP; some newer endpoints offer REST. IP whitelisting may apply.

What You Can Do

  • Rates: USPS retail/commercial pricing for supported services.
  • Tracking: basic scan events by tracking number.
  • Address checks: ZIP lookup, City/State, and standardization.
  • Labels: typically via eVS/PC-Postage rather than public XML API.

Sample: Domestic Rate (legacy XML)

# GET with XML payload (legacy pattern; encode the XML)
https://secure.shippingapis.com/ShippingAPI.dll?API=RateV4&XML=<RateV4Request USERID="<USERID>">
  <Package ID="1">
    <Service>PRIORITY</Service>
    <ZipOrigination>33602</ZipOrigination>
    <ZipDestination>90001</ZipDestination>
    <Pounds>3</Pounds>
    <Ounces>3.2</Ounces>
    <Container>VARIABLE</Container>
    <Size>REGULAR</Size>
    <Machinable>true</Machinable>
  </Package>
</RateV4Request>
💡
Tip: For production label generation and best commercial rates, many teams integrate USPS through a certified postage provider. You’ll still store tracking and events the same way.
Marketplace • SP-API • AWS SigV4

Amazon Seller API (SP-API)

Amazon’s Selling Partner API (SP-API) powers listings, orders, reports, feeds, and more. Auth combines Login With Amazon (LWA) and AWS Signature v4. Permissions/scopes are strict, and throttling is per-operation.

Auth Layers

  • LWA: Exchange refresh token → access token for the selling partner’s account.
  • AWS SigV4: Sign each HTTP request (region & service specific).
  • RDT: Restricted Data Tokens for PII fields (e.g., buyer info).

Key Domains

  • Orders: list/get orders & line items; acknowledge, ship, confirm.
  • Catalog & Listings: list catalogs, create/update offers & prices.
  • Feeds/Uploads: bulk operations (inventory, pricing, listings).
  • Reports: schedule & download; flat files and JSON.

Sample: Create a Feed (2-step upload)

# Pseudocode-ish: 1) create a "document" to upload to
POST /feeds/2021-06-30/documents
{ "contentType": "text/tab-separated-values; charset=UTF-8" }

# → returns { url, encryptionDetails, documentId }

# 2) PUT your file to the pre-signed S3 URL with encryption details
PUT <url>
<file bytes>

# 3) Create the feed referencing the documentId
POST /feeds/2021-06-30/feeds
{ "feedType": "POST_PRODUCT_DATA", "marketplaceIds":["<marketplaceId>"], "inputFeedDocumentId":"<documentId>" }
⚠️
Watchouts: Per-operation throttles (restore/burst rates), marketplace-specific behaviors, and time-boxed report availability windows. Implement automatic retry/backoff, and persist feed/report processing IDs for later status checks.

Operational Advice

  • Abstract marketplace IDs and currencies; avoid hard-coding NA/EU regions.
  • Centralize signing; verify system clock skew to prevent SigV4 failures.
  • Log original payloads and responses to reconcile with Seller Central.

Security

  • Scope approvals are audited; store tokens securely.
  • Use RDT only when necessary; purge PII promptly per policy.
eCommerce • Admin API • Webhooks

Shopify Admin API

Shopify’s Admin API (REST and GraphQL) lets apps manage products, collections, orders, fulfillment, customers, and more on a per-store basis. Apps authenticate via OAuth and receive a store-scoped access token. Webhooks power near-real-time reactions.

Auth & Scopes

  • Per-store OAuth install → Admin API access token.
  • Least-privilege scopes (e.g., write_products, read_orders).
  • Webhook HMAC validation using the app’s shared secret.

What You Can Do

  • Products/Variants: CRUD, images, metafields.
  • Orders/Fulfillment: read/update, create fulfillments & tracking.
  • Pricing: discounts, price rules, draft orders.
  • Storefront: via Storefront GraphQL for headless builds.

Sample: GraphQL – Create a Product

POST https://<shop>.myshopify.com/admin/api/2024-10/graphql.json
X-Shopify-Access-Token: <token>
Content-Type: application/json

{
  "query": "mutation($input: ProductInput!) { productCreate(input: $input) { product { id title handle } userErrors { field message } } }",
  "variables": {
    "input": {
      "title": "Karathen API Tee",
      "status": "ACTIVE",
      "variants": [{ "price": "24.00" }]
    }
  }
}

Sample: REST – List Orders

GET https://<shop>.myshopify.com/admin/api/2024-10/orders.json?status=any
X-Shopify-Access-Token: <token>
⚠️
Watchouts: Rate limits differ between REST (leaky bucket) and GraphQL (cost-based). Use cursor pagination (pageInfo in GraphQL) and respect checkpointing for large syncs. Always verify webhook HMACs.

Fulfillment Flow (Typical)

  1. Order created → webhook (orders/create).
  2. Rate shop cart at checkout via carrier APIs or a shipping app.
  3. Create fulfillment with tracking; update order status.
  4. Webhook (fulfillments/create) → notify customer.

Metafields & Extensibility

  • Attach custom data to products, orders, customers.
  • Use Admin UI extensions & app blocks for merchant-facing UI.
POS • Payments • Webhooks

Clover API

Clover provides APIs to integrate with its Point-of-Sale (POS) ecosystem. It allows developers to access merchants’ data (with permission), process payments, manage orders, customers, inventory, and react to real-time events via webhooks.

Auth & Setup

  • Auth: OAuth 2.0 with merchant-granted tokens.
  • Scopes: Fine-grained (e.g., merchant:read, inventory:write).
  • Environment: Sandbox (developer) and Production (merchant live data).

Core Capabilities

  • Process payments (credit, debit, contactless).
  • Access order lifecycle (create, update, close orders).
  • Manage inventory (items, modifiers, stock counts).
  • Customer profiles (loyalty, marketing integration).
  • Webhooks for payments, orders, employee activity.

Sample: Create an Order & Take Payment

# 1) Create Order
POST https://api.clover.com/v3/merchants/{mId}/orders
Authorization: Bearer <access_token>
Content-Type: application/json

{
  "title": "Order #12345",
  "total": 2400,
  "state": "open"
}

# 2) Take Payment
POST https://api.clover.com/v3/merchants/{mId}/orders/{orderId}/payments
Authorization: Bearer <access_token>
Content-Type: application/json

{
  "amount": 2400,
  "tipAmount": 0,
  "externalPaymentId": "ext-12345"
}
💡
Tip: Always use the sandbox environment first. For production, merchants must explicitly approve your app and scopes. Store OAuth refresh tokens securely and rotate them as needed.

Typical Flow

  1. App installed → OAuth authorization → get merchant token.
  2. Create or update an order via API.
  3. Process payment → receive confirmation with IDs.
  4. Subscribe to webhooks for payment/order updates.

Common Gotchas

  • Access tokens are merchant-specific; don’t reuse across merchants.
  • Webhooks must validate Clover’s HMAC signature.
  • Sandbox may not support all card features (test carefully).
  • Some endpoints differ slightly by device type (Flex, Mini, Station).
Social • Graph API • Webhooks

Facebook Graph API

The Facebook Graph API powers Facebook Pages and Instagram Business integrations (via the Instagram Graph API). Apps use OAuth 2.0 to obtain user/page tokens and must pass App Review for many permissions.

Auth & Permissions

  • OAuth 2.0 → user access token → exchange for long-lived token → page access token.
  • Common permissions: pages_manage_posts, pages_read_engagement, pages_manage_metadata, instagram_basic, instagram_content_publish (IG).
  • App Review required for most publish/read scopes beyond development mode.

Core Capabilities

  • Publish content to Facebook Pages & Instagram Business accounts.
  • Read insights/engagement, manage comments, DMs (IG permissions required).
  • Webhooks for subscriptions (e.g., comments, mentions, messages).

Sample: Publish a Photo to a Page

POST https://graph.facebook.com/v21.0/{page_id}/photos
Authorization: Bearer <PAGE_ACCESS_TOKEN>
Content-Type: application/x-www-form-urlencoded

url=https://example.com/image.jpg
&caption=Hello%20from%20Karathen%20API
💡
Tip: Verify webhooks with your app secret. Facebook sends X-Hub-Signature-256; compute HMAC SHA-256 with the app secret and compare.

Typical Flow

  1. User logs in → get user token → exchange long-lived token.
  2. Retrieve Page list → request Page Access Token.
  3. Publish posts or media; subscribe to webhooks for comments/messages.
  4. Refresh tokens periodically; rotate app secret.

Gotchas

  • Development mode limits data to app roles until App Review approval.
  • Different endpoints/permissions for Instagram vs Facebook Pages.
  • Rate limits & feature limits vary; handle errors with backoff.
Social • Marketing Developer Platform • UGC

LinkedIn API

LinkedIn’s Marketing Developer Platform enables organization-scoped posting, social engagement, ads, and analytics. Access is gated—many capabilities require partner approval and specific products enabled.

Auth & Scopes

  • OAuth 2.0 Authorization Code → access/refresh tokens.
  • Common scopes: r_liteprofile, w_member_social, rw_organization_admin, r_organization_social.
  • Organization posting requires admin privileges for the organization.

Core Capabilities

  • Create UGC posts (member or organization actor).
  • Upload and attach images/videos to posts.
  • Analytics and social actions (likes, comments) with proper scopes.

Sample: Create a Text UGC Post (Organization)

POST https://api.linkedin.com/v2/ugcPosts
Authorization: Bearer <access_token>
Content-Type: application/json

{
  "author": "urn:li:organization:<orgId>",
  "lifecycleState": "PUBLISHED",
  "specificContent": {
    "com.linkedin.ugc.ShareContent": {
      "shareCommentary": { "text": "Hello from Karathen API 👋" },
      "shareMediaCategory": "NONE"
    }
  },
  "visibility": { "com.linkedin.ugc.MemberNetworkVisibility": "PUBLIC" }
}
⚠️
Watchouts: Asset uploads (images/video) are a two-step flow (register upload → PUT bytes → reference in post). Some endpoints are restricted; expect 403 without correct product access and org role.

Typical Flow

  1. OAuth login → verify org admin permissions.
  2. (Optional) Register and upload media, capture asset URNs.
  3. Create UGC post with org actor; monitor engagement.
  4. Use paging for analytics; respect throttling headers.

Gotchas

  • Many APIs require partner application and approval.
  • UGC vs Shares APIs differ; prefer UGC for newer features.
  • Webhooks/notifications are limited—plan for polling in some cases.
Social • Content Posting • OAuth

TikTok API

TikTok offers APIs for login, basic profile, and (for Business Accounts) content publishing and analytics via its developer/marketing platforms. Posting capabilities are scoped and often restricted to Business accounts.

Auth & Access

  • OAuth 2.0 with app-configured redirect URIs.
  • Scopes vary by product (e.g., video upload/publish, basic profile, analytics).
  • Some endpoints only for Business Accounts connected to your app.

Core Capabilities

  • Initiate upload → transfer video bytes → publish post with caption/cover.
  • Retrieve account/profile info and content performance (where allowed).
  • Webhooks/Subscriptions available for certain events; otherwise poll.

Sample: Upload & Publish Video (Business)

# 1) Initialize upload session
POST https://open.tiktokapis.com/v2/video/upload/init/
Authorization: Bearer <access_token>
Content-Type: application/json

{ "source_info": { "source": "FILE" } }

# → returns upload_url + upload_id

# 2) Upload the file bytes to upload_url (PUT)

# 3) Publish
POST https://open.tiktokapis.com/v2/video/publish/
Authorization: Bearer <access_token>
Content-Type: application/json

{
  "upload_id": "<upload_id>",
  "caption": "Karathen API demo 🚀"
}
💡
Tip: Captions have length and keyword rules; follow TikTok guidelines. Some music/branding features aren’t available via API; test on a sandbox or non-public audience.

Typical Flow

  1. User connects Business account via OAuth.
  2. Initialize upload → send bytes → publish with caption/cover.
  3. Store returned IDs; fetch analytics later.

Gotchas

  • Personal accounts have limited API posting support.
  • Uploads can be large; use chunked transfer and retry logic.
  • Regional restrictions & content policies may block publishing.
Email • Audiences • Contacts • Webhooks

Mailchimp Marketing API

Mailchimp’s v3.0 Marketing API manages audiences (lists), contacts, campaigns, and automations. Auth supports API keys (Basic) and OAuth 2.0 for connected apps. Most contact operations are scoped to an audience (aka list_id).

Auth & Setup

  • Auth (API key): Authorization: Basic with base64 of anystring:API_KEY. Datacenter comes from key suffix (e.g., us9).
  • Auth (OAuth): Bearer token (Authorization: Bearer <access_token>).
  • Base URL: https://<dc>.api.mailchimp.com/3.0 (replace <dc> with your datacenter).
  • IDs: A “list” is an audience (list_id). Contacts are addressed by subscriber_hash = MD5(lowercase(email)).

Core Capabilities

  • Audiences: create/update, fields (merge fields), interest groups.
  • Members: upsert (subscribe/pending/unsubscribe/archive), tags.
  • Campaigns: create, set content, send; templates; folders.
  • Webhooks: subscribe to audience events (subscribe, profile updates, cleaned).
  • Reports & Insights: campaign and audience-level metrics.

Sample: Upsert a Contact (Subscribe or Update)

# Upsert a member into an Audience (list)
# subscriber_hash = MD5(lowercase(email_address))
PUT https://<dc>.api.mailchimp.com/3.0/lists/{list_id}/members/{subscriber_hash}
Authorization: Basic <base64(anystring:API_KEY)>
Content-Type: application/json

{
  "email_address": "ugarte16423@gmail.com",
  "status_if_new": "subscribed",   // "subscribed" | "pending" | "unsubscribed"
  "status": "subscribed",          // when updating existing
  "merge_fields": {
    "FNAME": "Raul",
    "LNAME": "Ugarte Zurdo",
    "PHONE": "+1 813 555 0000",
    "ODOO": "12345"                // custom merge field tag for "Odoo ID"
  },
  "tags": ["Customer", "Odoo"]
}
💡
Tags vs Merge Fields: Use tags for segmenting; use merge fields for structured data like “Odoo ID”. Retrieve current merge fields first to find the exact tag (e.g., ODOO).

List / Manage Merge Fields

# 1) List merge fields to discover tags (e.g., FNAME, LNAME, ODOO)
GET https://<dc>.api.mailchimp.com/3.0/lists/{list_id}/merge-fields
Authorization: Basic <base64(anystring:API_KEY)>

# 2) Create a custom merge field "Odoo ID" with tag ODOO (example)
POST https://<dc>.api.mailchimp.com/3.0/lists/{list_id}/merge-fields
Authorization: Basic <base64(anystring:API_KEY)>
Content-Type: application/json

{
  "name": "Odoo ID",
  "type": "text",
  "tag": "ODOO",
  "required": false,
  "public": true
}

Create an Audience (List)

POST https://<dc>.api.mailchimp.com/3.0/lists
Authorization: Basic <base64(anystring:API_KEY)>
Content-Type: application/json

{
  "name": "Karathen Customers",
  "permission_reminder": "You are receiving this because you opted in at checkout.",
  "email_type_option": true,
  "contact": {
    "company": "Karathen",
    "address1": "500 Main St",
    "city": "Tampa",
    "state": "FL",
    "zip": "33602",
    "country": "US"
  },
  "campaign_defaults": {
    "from_name": "Karathen",
    "from_email": "no-reply@karathen.com",
    "subject": "",
    "language": "en"
  }
}

Webhooks: Receive Audience Events

POST https://<dc>.api.mailchimp.com/3.0/lists/{list_id}/webhooks
Authorization: Basic <base64(anystring:API_KEY)>
Content-Type: application/json

{
  "url": "https://staging-api.karathen.com/mailchimp/webhook",
  "events": {
    "subscribe": true,
    "unsubscribe": true,
    "profile": true,
    "cleaned": true,
    "upemail": true,
    "campaign": true
  },
  "sources": { "user": true, "admin": true, "api": true }
}

Typical Contact Flow

  1. Ensure merge fields exist (e.g., ODOO custom field).
  2. Compute subscriber_hashPUT member with status_if_new.
  3. Apply tags for segments; update profile fields as needed.
  4. Listen to webhooks for changes (unsubscribed, cleaned, profile updates).

Common Gotchas

  • Archived vs Deleted: Archived contacts can usually be re-subscribed via PUT with status/status_if_new. Permanently deleted contacts must re-opt-in via a form; API will reject.
  • “Signed up to a lot of lists recently”: Anti-abuse throttle—try later or use double opt-in (pending), or have the user confirm via your hosted form.
  • Field Tags: Use the merge field tag (e.g., ODOO), not the display name (“Odoo ID”). Discover via /merge-fields.
  • Status transitions: Some transitions require pending + confirmation depending on account settings and compliance.
⚠️
Compliance: Respect opt-in. If the API returns errors about permanent deletion or consent, do not force-add—send an invite to re-subscribe through a double opt-in form.