Developers · Getting started

Your first Andromeda API call in ten minutes.

Get credentials, swap them for a token, make your first read, make your first write, learn the error shape. That's the whole story — the rest is just more endpoints.

Standard OAuth2. Standard REST. Standard RFC 7807 errors. No bespoke SDK required.

How the platform is organised.

Andromeda splits reads and writes across two APIs — a Queries API for GET requests, and a Commands API for POST, PUT and DELETE. A third service, the Identity server, issues OAuth2 tokens. All three are accessible on both a test and a production environment.

ServiceTest产品ion
Identity (OAuth2) test-portal-identity.azurewebsites.net portal-identity.azurewebsites.net
Queries API (reads) test-portal-queries-api.azurewebsites.net portal-queries-api.azurewebsites.net
Commands API (writes) test-portal-api.azurewebsites.net portal-api.azurewebsites.net

Every integration starts against test. Promotion to production is a config change, not a code change.

Tell us you're building, get a client.

  1. 联系我们

    电邮 info@androtech.com or book a call. Tell us the use case — reporting, 菜单 automation, loyalty sync, etc. — and we'll issue a non-production organisation with test data.

  2. Receive a client_id and client_secret

    You get a pair of credentials scoped to your organisation, plus a handful of test locations seeded with products, prices and a stream of synthetic 订单 so you have something realistic to read and write against.

  3. Keep the secret in a secret store

    Azure Key Vault, AWS Secrets Manager, 1Password — anything but source control. The secret never needs to appear in browser code; OAuth2 client_credentials is a server-to-server flow.

One POST. One JWT. Good for an hour.

Request an access token

Standard OAuth2 client_credentials grant. The response is a short-lived JWT signed with our platform certificate — attach it as a Bearer header on every subsequent call.

POST
Request
PROTECT_BLOCK_12_END
Response — 200 OK
PROTECT_BLOCK_13_END
Use it on every call
PROTECT_BLOCK_14_END

List the locations you have access to.

GET /organizations/{organizationId}/locations

Every endpoint is scoped to an organisation. Your organizationId is baked into the token claims — you can only touch your own data. A locations call is the canonical "am I wired up correctly?" first request.

GET
Request
PROTECT_BLOCK_16_END
Response — 200 OK
PROTECT_BLOCK_17_END
Keep the location IDs
PROTECT_BLOCK_18_END

Change a price. Watch it propagate.

PUT /organizations/{organizationId}/products/{productId}/pricing

Write endpoints live on the Commands API. The host changes (from *-queries-api to *-portal-api) but the bearer token and the org/location scoping are identical. A 202 means accepted and queued for propagation.

PUT
Request
PROTECT_BLOCK_21_END
Response — 202 Accepted
PROTECT_BLOCK_22_END

Every error is RFC 7807. Every error carries a trace ID.

Validation failure — 400 Bad Request

If a required field is missing, mutually-exclusive filters are supplied together, or a date range is invalid, you get a ProblemDetails body describing what's wrong and a traceId you can quote to our helpdesk.

PROBLEM
Response — 400 Bad Request
PROTECT_BLOCK_25_END
Common statuses
PROTECT_BLOCK_26_END

Where to go next.

You now have a working token, you can read, you can write, you understand the error shape. Every remaining problem is "which endpoints do I need?" — pick the area that matches what you're building.

Ready for credentials?

电邮 us with what you're building and we'll send a test client, seeded data, and a technical contact inside one working day.

Request test access