Hello @afs2024!
So, in fact we use the approved=“true” field to restrict some users’ access to a certain sales channel. This means that a user who is not logged in and authorized will only have access to the sales channel that does not have such restrictions, and therefore he will not be able to place an order for a product with the conditions present in the restricted sales channel.
However, when we are talking about creating an order via the Place Order API, we have another type of restriction: it turns out that this API cannot be used by anyone, since according to the documentation, it requires the use of an AppKey and AppToken! In other words, no user can create an order through the API, as they do not have access to the store’s AppKey and AppToken.
In fact, we can see that the example cURL already has the X-VTEX-API-AppKey and X-VTEX-API-AppToken fields configured in the headerrs:
curl --request put \
--url https://apiexamples.vtexcommercestable.com.br/api/checkout/pub/orders \
--header 'Accept: application/json' \
--header 'Content-Type: application/json' \
--header 'X-VTEX-API-AppKey: ' \
--header 'X-VTEX-API-AppToken: ' \
--data '{"items":[{"id":"123456789","quantity":1,"seller":"1"}],"clientProfileData":{"email":"[customer@examplemail.com](mailto:customer@examplemail.com)","firstName":"first-name","lastName":"last-name","documentType":"cpf","document":"123456789","phone":"+55110988887777","corporateName":"company-name","tradeName":"trade-name","corporateDocument":"12345678000100","stateInscription":"12345678","corporatePhone":"+551100988887777","isCorporate":false},"shippingData":{"address":{"addressType":"residential","receiverName":"receiver-name","addressId":"Home","postalCode":"12345-000","city":"Rio de Janeiro","state":"Rio de Janeiro","country":"BRA","street":"Praia de Botafogo","number":"300","neighborhood":"Botafogo","complement":"3rd floor","reference":"Grey building","geoCoordinates":[-47.924747467041016,-15.832582473754883]},"logisticsInfo":[{"itemIndex":0,"selectedSla":"Express","selectedDeliveryChannel":"delivery","lockTTL":"8d","shippingEstimate":"7d","price":1099,"deliveryWindow":{"startDateUtc":"2021-07-13T00:00:00+00:00","endDateUtc":"2021-07-13T23:59:59+00:00","price":0,"lisPrice":0,"tax":0}}],"updateStatus":"updated"},"paymentData":{"giftCards":[{"redemptionCode":"HYUO-TEZZ-QFFT-HTFR","value":500,"balance":500,"name":"name-example","id":"1390324156495k195pmab4rall3di","inUse":true,"isSpecialCard":false}],"giftCardMessages":["message-example"],"paymentSystems":[{"id":2,"name":"Visa","groupName":"creditCardPaymentGroup","validator":{"regex":"^4","mask":"9999 9999 9999 9999","cardCodeRegex":"[^0-9]","cardCodeMask":"999","weights":[2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2]},"stringId":"12345abc","template":"creditCardPaymentGroup-template","requiresDocument":false,"selected":false,"isCustom":false,"description":"description-example"}],"payments":[{"accountId":"accountID-example","bin":"2","installments":2,"paymentSystem":12,"referenceValue":16175,"value":16175}],"updateStatus":"updated"},"marketingData":{"coupon":"free-shipping","utmSource":"Facebook","utmMedium":"CPC","utmCampaign":"Black friday","utmiPage":"utmi_page-example","utmiPart":"utmi_part-exmaple","utmiCampaign":"utmi_campaign-exmaple"},"openTextField":"open-text-example","salesAssociateData":{"salesAssociateId":"seller123"}}'
These credentials should not be accessed by anyone who does not manage the store, and when it is necessary to share any credentials with third parties, it is essential that an access profile is created with roles configured only for that specific function that will be performed by the user.
Lucas Palhano Fonseca | Field Software Engineer
