Partner API v1
Authentication
BaZaaRDan Partner API istekleri Client ID + HMAC SHA256 imzası ile doğrulanır. Client Secret hiçbir zaman frontend, mobil uygulama veya tarayıcı tarafında tutulmamalıdır.
HMAC SHA256
X-BZ-SIGNATURE
Required Headers
| Header | Required | Description |
|---|---|---|
X-BZ-CLIENT-ID |
Yes | BaZaaRDan tarafından verilen Partner API Client ID. |
X-BZ-TIMESTAMP |
Yes | Unix timestamp. İmza üretiminde kullanılır. |
X-BZ-SIGNATURE |
Yes | Client Secret ile üretilen HMAC SHA256 imzası. |
Accept |
Recommended | application/json |
Content-Type |
POST requests | JSON body gönderilen isteklerde application/json. |
Signature Base String
Base String
METHOD + "
" + PATH + "
" + TIMESTAMP + "
" + RAW_BODY| Part | Description |
|---|---|
METHOD |
HTTP method. Örnek: GET, POST. |
PATH |
Endpoint path değeri. Query string varsa dahil edilir. Örnek: /orders.php?limit=50&offset=0 |
TIMESTAMP |
X-BZ-TIMESTAMP headerındaki Unix timestamp. |
RAW_BODY |
HTTP request body. GET isteklerinde boş string olmalıdır. |
Eski
nonce veya body_hash standardı kullanılmaz.
İmza doğrudan yukarıdaki base string üzerinden üretilir.
GET Request Example
cURL - Orders
CLIENT_ID="YOUR_CLIENT_ID"
CLIENT_SECRET="YOUR_CLIENT_SECRET"
METHOD="GET"
PATH="/orders.php?limit=50&offset=0"
TIMESTAMP="$(date +%s)"
BODY=""
BASE_STRING="${METHOD}
${PATH}
${TIMESTAMP}
${BODY}"
SIGNATURE="$(printf "%s" "$BASE_STRING" | openssl dgst -sha256 -hmac "$CLIENT_SECRET" -binary | xxd -p -c 256)"
curl -X GET "https://bazaardan.com/api/partner/v1${PATH}" \
-H "Accept: application/json" \
-H "X-BZ-CLIENT-ID: ${CLIENT_ID}" \
-H "X-BZ-TIMESTAMP: ${TIMESTAMP}" \
-H "X-BZ-SIGNATURE: ${SIGNATURE}"POST Request Example
cURL - Stock Update
CLIENT_ID="YOUR_CLIENT_ID"
CLIENT_SECRET="YOUR_CLIENT_SECRET"
METHOD="POST"
PATH="/stock_update.php"
TIMESTAMP="$(date +%s)"
BODY='{"product_id":356,"variant_combination_id":778,"stock":24,"external_ref":"ERP-STOCK-20260508-001"}'
BASE_STRING="${METHOD}
${PATH}
${TIMESTAMP}
${BODY}"
SIGNATURE="$(printf "%s" "$BASE_STRING" | openssl dgst -sha256 -hmac "$CLIENT_SECRET" -binary | xxd -p -c 256)"
curl -X POST "https://bazaardan.com/api/partner/v1${PATH}" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-H "X-BZ-CLIENT-ID: ${CLIENT_ID}" \
-H "X-BZ-TIMESTAMP: ${TIMESTAMP}" \
-H "X-BZ-SIGNATURE: ${SIGNATURE}" \
-d "$BODY"PHP Example
PHP
<?php
$clientId = 'YOUR_CLIENT_ID';
$clientSecret = 'YOUR_CLIENT_SECRET';
$method = 'GET';
$path = '/orders.php?limit=50&offset=0';
$timestamp = (string) time();
$body = '';
$baseString = strtoupper($method) . "\n" . $path . "\n" . $timestamp . "\n" . $body;
$signature = hash_hmac('sha256', $baseString, $clientSecret);
$ch = curl_init('https://bazaardan.com/api/partner/v1' . $path);
curl_setopt_array($ch, [
CURLOPT_RETURNTRANSFER => true,
CURLOPT_HTTPHEADER => [
'Accept: application/json',
'X-BZ-CLIENT-ID: ' . $clientId,
'X-BZ-TIMESTAMP: ' . $timestamp,
'X-BZ-SIGNATURE: ' . $signature,
],
]);
$response = curl_exec($ch);
$httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
echo $httpCode . PHP_EOL;
echo $response . PHP_EOL;Node.js Example
Node.js
import crypto from "node:crypto";
const clientId = "YOUR_CLIENT_ID";
const clientSecret = "YOUR_CLIENT_SECRET";
const method = "GET";
const path = "/orders.php?limit=50&offset=0";
const timestamp = Math.floor(Date.now() / 1000).toString();
const body = "";
const baseString = [
method.toUpperCase(),
path,
timestamp,
body
].join("\n");
const signature = crypto
.createHmac("sha256", clientSecret)
.update(baseString)
.digest("hex");
const response = await fetch(`https://bazaardan.com/api/partner/v1${path}`, {
method,
headers: {
"Accept": "application/json",
"X-BZ-CLIENT-ID": clientId,
"X-BZ-TIMESTAMP": timestamp,
"X-BZ-SIGNATURE": signature
}
});
console.log(response.status);
console.log(await response.json());Python Example
Python
import time
import hmac
import hashlib
import requests
client_id = "YOUR_CLIENT_ID"
client_secret = "YOUR_CLIENT_SECRET"
method = "GET"
path = "/orders.php?limit=50&offset=0"
timestamp = str(int(time.time()))
body = ""
base_string = "\n".join([
method.upper(),
path,
timestamp,
body,
])
signature = hmac.new(
client_secret.encode("utf-8"),
base_string.encode("utf-8"),
hashlib.sha256
).hexdigest()
response = requests.get(
"https://bazaardan.com/api/partner/v1" + path,
headers={
"Accept": "application/json",
"X-BZ-CLIENT-ID": client_id,
"X-BZ-TIMESTAMP": timestamp,
"X-BZ-SIGNATURE": signature,
},
timeout=30,
)
print(response.status_code)
print(response.json())Security Rules
| Rule | Description |
|---|---|
| Client Secret backend-only saklanır. | Frontend, mobil uygulama veya public repository içine eklenmemelidir. |
| HTTPS zorunludur. | Tüm Partner API istekleri HTTPS üzerinden gönderilmelidir. |
| Timestamp kontrolü yapılır. | Çok eski timestamp ile gelen istekler reddedilebilir. |
| Permission kontrolü yapılır. | Her client yalnızca kendisine verilen izinlerdeki endpointleri kullanabilir. |
| Seller scope uygulanır. | Partner uygulaması sadece kurulu olduğu satıcının verilerine erişebilir. |
Environment
Related Pages
İlk test için Quick Start, hazır collection için Postman Collection, endpoint detayları için Orders, Order Detail ve Stock Update sayfalarını kullanın.