Overview
The 3 Clicks API enables external systems to securely interact with your 3 Clicks environment using RESTful endpoints. This guide outlines authentication, request formats, and links to module workflow guides.
Quick Check - Before You Start
- You have a valid API Key and API Secret from your 3 Clicks administrator.
- Choose an authentication mode: Simple auth (key + secret headers) or Strict auth (key + HMAC signature + timestamp).
- For strict authentication, your integration can produce an HMAC-SHA256 signature and supply a Unix timestamp in seconds (not milliseconds).
- You will URL-encode path and query values (e.g.
/becomes%2F) wherever values appear in the request URL.
Getting Started
- Contact your 3 Clicks administrator to obtain your API Key and API Secret
History Logs
Updates made via the Customer-facing API are now recorded in History Logs. You have a complete audit trail of all modifications, regardless of whether they were made through the UI or the API.
- Access Swagger UI (interactive API documentation) at:
https://[your-api-domain]/api-user-doc - Base URL for API requests:
https://[your-api-domain]/api-user/v1/
API module guides
Step-by-step workflow guides by module. Swagger UI remains the schema source of truth for request and response fields.
| Module | Guide | Base path |
|---|---|---|
| Order | Order API workflows | /api-user/v1/order/ |
| Style | Style API workflows | /api-user/v1/style/ |
| Shipping | Shipping API workflows | /api-user/v1/shipping/ |
| Search | Search API workflows | /api-user/v1/search/ |
Request and Response Format
All API requests should use standard REST conventions with the following specifications:
- Use JSON in the request body (for POST, PUT, PATCH, DELETE)
- Include the header:
Content-Type: application/jsonwhen sending a body
Example Request
curl -X 'PUT' \
'https://[your-api-domain]/api-user/v1/style/ecommerce/tags-create' \
-H 'accept: */*' \
-H 'Content-Type: application/json' \
-H 'X-Api-Key: your-api-key' \
-H 'X-Api-Signature: your-signature' \
-H 'X-Api-Timestamp: 1717128481' \
-d '{
"style_number": "A00416",
"name": "Activewear"
}'
Example Response
URL Encoding
When a parameter is included in the URL, ensure it is properly encoded.
Example:
If the parameter value is ABC/123, encode it as ABC%2F123:
Authentication
The server accepts two authentication modes. Both use the same API key and secret issued by your administrator.
Simple auth (GET-friendly)
Send both headers on every request. No signature is required.
X-Api-Key: your API keyX-Api-Secret: your API secret
Use this mode for curl scripts, quick GET probes, and integrations that prefer sending the secret directly.
curl -X 'GET' \
'https://[your-api-domain]/api-user/v1/style/basic/detail?style_number=SO00123' \
-H 'accept: */*' \
-H 'X-Api-Key: your-api-key' \
-H 'X-Api-Secret: your-api-secret'
Strict auth (recommended for writes)
Send these headers. The API secret is not transmitted — it is used only on the client to compute the signature.
X-Api-Key: your API keyX-Api-Signature: the HMAC-SHA256 signature (lowercase hex)X-Api-Timestamp: current Unix timestamp in seconds
Use this mode for production integrations and for Try it out in Swagger UI: click Authorize, enter both key and secret; Swagger computes the signature and sends key, signature, and timestamp only.
curl -X 'GET' \
'https://[your-api-domain]/api-user/v1/style/basic/detail?style_number=SO00123' \
-H 'accept: */*' \
-H 'X-Api-Key: your-api-key' \
-H 'X-Api-Signature: your-signature' \
-H 'X-Api-Timestamp: 1717127589'
Signature verification (strict auth)
Step 1: Prepare the data
Fields required:
api_keyapi_secretmethod— HTTP verb in lowercase when building the signature message (e.g.get,post,put). Curl examples may show uppercase (GET,POST); only the value concatenated into the signature string must be lowercase.data— for GET, a JSON string of query parameters; for POST/PUT/PATCH/DELETE, the JSON request body string (use{}or the exact payload; no extra whitespace)timestamp— Unix time in seconds
Concatenate all values (no separators):
Step 2: Generate signature
Use HMAC with SHA256 encryption:
String secretKey = "your-api-secret";
String message = "your-message-to-sign";
Mac sha256_HMAC = Mac.getInstance("HmacSHA256");
SecretKeySpec secret_key = new SecretKeySpec(secretKey.getBytes(), "HmacSHA256");
sha256_HMAC.init(secret_key);
byte[] hash = sha256_HMAC.doFinal(message.getBytes());
String signature = Hex.encodeHexString(hash);
Timestamps
Ensure that the timestamp is accurate to within 600 seconds of the server time.
Troubleshooting
Why am I getting 401 Unauthorized or signature errors?
Strict authentication requires a correct signature built from api_key, api_secret, method, data, and timestamp concatenated in order with no separators. Simple auth requires both X-Api-Key and X-Api-Secret headers. A wrong secret, wrong method casing, or wrong body string will fail verification.
Steps to resolve:
- Confirm you are using the authentication mode your integration expects (Simple vs Strict) and that all required headers are present.
- Rebuild the message string exactly as
[api_key][api_secret][method][data][timestamp]wheremethodis lowercase anddatais the JSON string of the body (POST/PUT/PATCH/DELETE) or query parameters (GET). - Verify the X-Api-Signature is the lowercase hex HMAC-SHA256 of that message using your API secret as the key.
Why do requests fail with a timestamp or clock error?
The server allows only a limited skew (documented as 600 seconds) between your X-Api-Timestamp and server time. Stale timestamps, future timestamps, or using milliseconds instead of seconds will be rejected.
Steps to resolve:
- Ensure
X-Api-Timestampis Unix time in seconds (10 digits for current-era times). - Sync your application or server clock with a reliable time source (NTP).
- Regenerate the signature immediately before sending so the timestamp matches the signed value.
Why does my GET or path parameter return 404 or wrong data?
Values embedded in the URL must be percent-encoded. Characters such as /, spaces, and & change how the path is parsed if left unencoded.
Steps to resolve:
- Encode each dynamic segment (e.g.
ABC/123asABC%2F123) before placing it in the path. - Encode query parameter values the same way when building query strings.
- Compare your final URL with the examples in this guide and with
https://[your-api-domain]/api-user-docfor the exact path shape your endpoint expects.