Authentication

The current public product and order lookup endpoints do not require an API key. Completed orders can return account credentials with the order number and contact email.

Balance payments require the logged-in user Bearer token. Use the returned token in the request header:

text

Authorization: Bearer USER_TOKEN

text

POST /api/auth/login

Request body:

json

{
  "email": "[email protected]",
  "password": "your-password"
}

No Login Required

GET /api/products
GET /api/products/:idOrSlug
GET /api/orders/query?order_no=...&email=... (completed orders return account credentials; limited to 3 requests per IP per 60 seconds and 2 requests per order/email pair per 60 seconds)
GET /api/orders/:id/status?token=... (returns account details when the order access token is provided)

Login May Be Required

POST /api/orders/create requires a user Bearer token when the payment method is one of:

balance_cny
balance_crypto

Other payment methods, such as crypto, do not require login.

When users place orders through the API, balance payments are deducted by order amount; API calls themselves are not billed separately.

Admin and Internal APIs

/api/admin/*, /api/orders/clean, and similar endpoints are not public APIs. They require an admin token or an internal server secret.