The B2C Checkout endpoint has the option to use modern browsers' Cross-Origin Resource Sharing (CORS) support to allow a checkout call from a safelisted domain using a publishable key.
Typically, an online ticketing integration follows a flow similar to this:
A user adds items to a shopping cart via the client’s frontend
The information collected on the frontend is passed to the client’s backend for processing
API calls are made from the client’s backend to the ACME APIs
The client’s backend returns the API responses to their frontend
The information is presented to the user via the client’s frontend
The following configuration items must be completed in order to enable CORS checkout.
Safelisted domains must be registered with ACME. Only calls from these domains will be allowed to complete a checkout and only one domain can be used per environment.
ACME must associate a publishable key with an existing user.
Tip: When creating a user for an integration, we recommend using a 1:1 user to integration relationship. Ex. online_ticketing_api_user, crm_integration_user, etc. This will help you troubleshoot integrations should you ever have an issue.
To get started, please refer to Requesting an API Key.
Note: The Safelisting process can take up to two weeks to complete.
The CORS checkout endpoint /v2/b2c/cors/checkout uses the same format and payload as the normal B2C checkout. Refer to B2C Checkout for more information.
The following headers are required for a CORS checkout:
Refer to Working with ACME's APIs for more information about headers and examples
WARNING: You should never send your normal API key (x-acme-api-key) or a session key (x-acme-session) in a call directly from your frontend to ACME’s backend as this is like publishing your ACME username and password. Any integrations found to be using exposed API keys will be deactivated by ACME.