With Moltin. Our API allows us to separate the backend data storage, validation and logic processing from the frontend entirely. The client (or even your own server!) doesn’t need to do any heavy lifting and simply makes requests to the backend to request data (get the cart contents) or carry out actions (add this to my cart, checkout etc..).
This doesn’t just stop at carts though. Moltin also provides features and functionality found in traditional eCommerce platforms including inventory (products, categories, collections), promotions, the checkout process to convert carts to orders, payment aggregation, custom data schemas and more. A great example of what can be achieved with our set of APIs is Black Crows which is built with AngularJS. Everything on their site is powered by Moltin behind the scenes, including the navigation, pages, localization, products, carts, checkout and payment aggregation.
The time it takes to build production applications and create functional prototypes is drastically reduced as the process is reduced down from managing a whole platform or rolling your own down to simply data-binding API responses inside your HTML and triggering requests to make actions.
No longer bound by technology choices and limitations, designers and developers can create dynamic customer journeys and scalable shopping experiences.
Control & Limitations
Moltin currently provides two API keys, the client ID, and the client secret.
At this point it should be noted: never share your client secret with anyone, it’s a secret for a reason, and that reason is it provides full read/write access to your data via the client credentials grant type!
A simple example of what this means is that a product price can not be tampered with on the client-side as the product is defined on the Moltin backend and adding items to the cart is validated on our backend. Carts are stored on Moltin and only a reference ID is stored client-side to access this cart.
With that said, some users may not be worried about a price being altered. A good example would be a donate button. In this scenario, we would suggest using custom cart items where you can set a title and price from the client-side. Once a cart containing a custom item is transformed into an order during the checkout stage the custom order item/s would not have a Moltin product ID attribute to mark it as custom so you can’t fake a defined “real” Moltin product.
Cart IDs in Moltin are special as you can define your own reference. By default, the JS SDK generates a 32-bit random alpha-numeric string to avoid collisions and makes them close to impossible to guess correctly. These are unique to each Moltin store and the reference is stored in a mcart cookie for your site.
You can also set many of the readable resources (products, categories, collections etc.) to “live” or “draft”. Using the implicit grant type will result in only “live” results being returned from the API and another way for you to control what data is available to client-side applications.
A word on OAuth 2
Another question we hear is ‘why have you even bothered with the authentication process in the first place if you are simply trading a public key for an access token?’ The reason is simple, you can re-generate your public key in case of a security breach and also controllably revoke access for specific access tokens immediately.
On PCI Compliance
Even without an SSL certificate installed, we make sure all of your data pass through HTTPS encryption, even when there’s no green lock pad next to your URL.
Having said that, you technically do not need your own SSL certificate for Moltin to work, but, we strongly recommend you install one.
There are a few reasons why we recommend this. Modern browsers such as Chrome and Firefox give HTTPS and SSL enabled sites priority, which can ultimately positively impact on your search engine results and rankings over a standard HTTP site.
During checkout, having a certificate installed will also make your customers feel more secure. Finally, this also protects your website from certain man-in-the-middle attacks.
Conclusions and the future
Why does this matter anyway?
Here at Moltin, we believe in modern methodologies and tooling to truly empower developers and businesses.