Skip to content

Overview

The 3 Clicks API enables external systems to securely interact with your 3 Clicks environment using RESTful endpoints. This guide outlines authentication, request formats, and links to module workflow guides.

Quick Check - Before You Start
  • You have a valid API Key and API Secret from your 3 Clicks administrator.
  • Choose an authentication mode: Simple auth (key + secret headers) or Strict auth (key + HMAC signature + timestamp).
  • For strict authentication, your integration can produce an HMAC-SHA256 signature and supply a Unix timestamp in seconds (not milliseconds).
  • You will URL-encode path and query values (e.g. / becomes %2F) wherever values appear in the request URL.

Getting Started

  • Contact your 3 Clicks administrator to obtain your API Key and API Secret

History Logs

Updates made via the Customer-facing API are now recorded in History Logs. You have a complete audit trail of all modifications, regardless of whether they were made through the UI or the API.

  • Access Swagger UI (interactive API documentation) at:
    https://[your-api-domain]/api-user-doc
  • Base URL for API requests:
    https://[your-api-domain]/api-user/v1/

API module guides

Step-by-step workflow guides by module. Swagger UI remains the schema source of truth for request and response fields.

Module Guide Base path
Order Order API workflows /api-user/v1/order/
Style Style API workflows /api-user/v1/style/
Shipping Shipping API workflows /api-user/v1/shipping/
Search Search API workflows /api-user/v1/search/

Request and Response Format

All API requests should use standard REST conventions with the following specifications:

  • Use JSON in the request body (for POST, PUT, PATCH, DELETE)
  • Include the header: Content-Type: application/json when sending a body

Example Request

curl -X 'PUT' \
  'https://[your-api-domain]/api-user/v1/style/ecommerce/tags-create' \
  -H 'accept: */*' \
  -H 'Content-Type: application/json' \
  -H 'X-Api-Key: your-api-key' \
  -H 'X-Api-Signature: your-signature' \
  -H 'X-Api-Timestamp: 1717128481' \
  -d '{
    "style_number": "A00416",
    "name": "Activewear"
  }'

Example Response

{
  "result": {
    "success": true,
    "code": "0",
    "message": "operate successfully."
  },
  "content": null
}

URL Encoding

When a parameter is included in the URL, ensure it is properly encoded.

Example:
If the parameter value is ABC/123, encode it as ABC%2F123:

/api-user/v1/shipping/basic/ABC%2F123

Authentication

The server accepts two authentication modes. Both use the same API key and secret issued by your administrator.

Simple auth (GET-friendly)

Send both headers on every request. No signature is required.

  • X-Api-Key: your API key
  • X-Api-Secret: your API secret

Use this mode for curl scripts, quick GET probes, and integrations that prefer sending the secret directly.

curl -X 'GET' \
  'https://[your-api-domain]/api-user/v1/style/basic/detail?style_number=SO00123' \
  -H 'accept: */*' \
  -H 'X-Api-Key: your-api-key' \
  -H 'X-Api-Secret: your-api-secret'

Send these headers. The API secret is not transmitted — it is used only on the client to compute the signature.

  • X-Api-Key: your API key
  • X-Api-Signature: the HMAC-SHA256 signature (lowercase hex)
  • X-Api-Timestamp: current Unix timestamp in seconds

Use this mode for production integrations and for Try it out in Swagger UI: click Authorize, enter both key and secret; Swagger computes the signature and sends key, signature, and timestamp only.

curl -X 'GET' \
  'https://[your-api-domain]/api-user/v1/style/basic/detail?style_number=SO00123' \
  -H 'accept: */*' \
  -H 'X-Api-Key: your-api-key' \
  -H 'X-Api-Signature: your-signature' \
  -H 'X-Api-Timestamp: 1717127589'

Signature verification (strict auth)

Step 1: Prepare the data

Fields required:

  • api_key
  • api_secret
  • method — HTTP verb in lowercase when building the signature message (e.g. get, post, put). Curl examples may show uppercase (GET, POST); only the value concatenated into the signature string must be lowercase.
  • data — for GET, a JSON string of query parameters; for POST/PUT/PATCH/DELETE, the JSON request body string (use {} or the exact payload; no extra whitespace)
  • timestamp — Unix time in seconds

Concatenate all values (no separators):

[api_key][api_secret][method][data][timestamp]

Step 2: Generate signature

Use HMAC with SHA256 encryption:

String secretKey = "your-api-secret";
String message = "your-message-to-sign";

Mac sha256_HMAC = Mac.getInstance("HmacSHA256");
SecretKeySpec secret_key = new SecretKeySpec(secretKey.getBytes(), "HmacSHA256");
sha256_HMAC.init(secret_key);

byte[] hash = sha256_HMAC.doFinal(message.getBytes());
String signature = Hex.encodeHexString(hash);
Timestamps

Ensure that the timestamp is accurate to within 600 seconds of the server time.

Troubleshooting

Why am I getting 401 Unauthorized or signature errors?

Strict authentication requires a correct signature built from api_key, api_secret, method, data, and timestamp concatenated in order with no separators. Simple auth requires both X-Api-Key and X-Api-Secret headers. A wrong secret, wrong method casing, or wrong body string will fail verification.

Steps to resolve:

  1. Confirm you are using the authentication mode your integration expects (Simple vs Strict) and that all required headers are present.
  2. Rebuild the message string exactly as [api_key][api_secret][method][data][timestamp] where method is lowercase and data is the JSON string of the body (POST/PUT/PATCH/DELETE) or query parameters (GET).
  3. Verify the X-Api-Signature is the lowercase hex HMAC-SHA256 of that message using your API secret as the key.
Why do requests fail with a timestamp or clock error?

The server allows only a limited skew (documented as 600 seconds) between your X-Api-Timestamp and server time. Stale timestamps, future timestamps, or using milliseconds instead of seconds will be rejected.

Steps to resolve:

  1. Ensure X-Api-Timestamp is Unix time in seconds (10 digits for current-era times).
  2. Sync your application or server clock with a reliable time source (NTP).
  3. Regenerate the signature immediately before sending so the timestamp matches the signed value.
Why does my GET or path parameter return 404 or wrong data?

Values embedded in the URL must be percent-encoded. Characters such as /, spaces, and & change how the path is parsed if left unencoded.

Steps to resolve:

  1. Encode each dynamic segment (e.g. ABC/123 as ABC%2F123) before placing it in the path.
  2. Encode query parameter values the same way when building query strings.
  3. Compare your final URL with the examples in this guide and with https://[your-api-domain]/api-user-doc for the exact path shape your endpoint expects.