Appearance
Response Scoping
The API uses scope-based field filtering to control what data is returned based on your authentication level. This means the same endpoint can return different fields depending on who is calling it.
Scopes
| Scope | How to trigger | Fields returned |
|---|---|---|
| Public | No token, or invalid token | Only public-safe fields |
| Customer | Valid customer JWT | Public fields + customer-specific fields |
| Backend | Valid admin JWT | All fields, including admin-only data |
How It Works
Resource transformers check the request scope and conditionally include fields. For example, a product resource might return:
- Public:
id,name,price,slug,image - Customer: All public fields +
wishlistStatus,purchaseHistory - Backend: All fields +
costPrice,adminNotes,supplierId
There is no error or indication when fields are omitted due to scope. The response simply contains fewer keys.
Relation Scoping
Relations are also filtered by scope. The policy configuration defines which relations are available at each scope level. For example:
- Public might allow:
translations,categories,images - Customer might add:
reviews,variants - Backend gets all relations
If you request a relation via ?with= that isn't allowed for your scope, it is silently removed from the response.
Practical Implications
- Frontend storefront code (public/customer scope) will never accidentally receive admin-only data
- Admin panel code (backend scope) gets the full dataset
- You don't need separate endpoints for public vs admin views — the same endpoint adapts