REST API Reference
The GSM Middleware REST API provides programmatic access to all control panel features. Built on WordPress REST API infrastructure, it supports standard HTTP methods and returns JSON responses.
Base URL
/wp-json/gsm-middleware/v1/
Authentication
All endpoints require WordPress authentication:
Cookie Authentication (for browser):
// Automatic when logged in to WordPress
Application Passwords (for external apps):
curl -u 'username:password' \
https://yoursite.com/wp-json/gsm-middleware/v1/sites
Nonce (for AJAX):
fetch('/wp-json/gsm-middleware/v1/sites', {
headers: {
'X-WP-Nonce': wpApiSettings.nonce
}
})
Permissions
All endpoints require the manage_gsm_middleware capability (typically Administrator role).
Endpoints
Sites
List All Sites
GET /wp-json/gsm-middleware/v1/sites
Response:
[
{
"id": 1,
"name": "Main Store",
"platform": "bigcommerce",
"site_url": "https://mainstore.com",
"is_active": true,
"orders_sync": true,
"inventory_sync": true,
"tracking_sync": true,
"order_last_run": "2026-03-17 10:30:00",
"inventory_last_run": "2026-03-17 09:45:00"
}
]
Get Single Site
GET /wp-json/gsm-middleware/v1/sites/{id}
Parameters:
id(integer, required) - Site ID
Response:
{
"id": 1,
"name": "Main Store",
"platform": "bigcommerce",
"site_url": "https://mainstore.com",
"api_credentials": {
"client_id": "abc123",
"access_token": "xyz789"
},
"is_active": true,
"orders_sync": true,
"inventory_sync": true,
"tracking_sync": true
}
Create Site
POST /wp-json/gsm-middleware/v1/sites
Request Body:
{
"name": "New Store",
"platform": "woocommerce",
"site_url": "https://newstore.com",
"api_key": "ck_abc123",
"api_secret": "cs_xyz789",
"is_active": true,
"orders_sync": true,
"inventory_sync": true,
"tracking_sync": false
}
Response:
{
"id": 5,
"message": "Site created successfully"
}
Update Site
PUT /wp-json/gsm-middleware/v1/sites/{id}
Request Body: Same as Create Site
Response:
{
"success": true,
"message": "Site updated successfully"
}
Delete Site
DELETE /wp-json/gsm-middleware/v1/sites/{id}
Response:
{
"success": true,
"message": "Site deleted successfully"
}
Toggle Site Status
POST /wp-json/gsm-middleware/v1/sites/{id}/toggle-status
Response:
{
"success": true,
"is_active": false,
"message": "Site status updated"
}
Test Connection
POST /wp-json/gsm-middleware/v1/sites/{id}/test-connection
Response:
{
"success": true,
"message": "Connection successful",
"details": {
"platform": "bigcommerce",
"store_name": "Main Store",
"api_version": "v3"
}
}
Statistics
Get System Stats
GET /wp-json/gsm-middleware/v1/stats
Response:
{
"sites": {
"total": 10,
"active": 8,
"bigcommerce": 6,
"woocommerce": 4
},
"orders": {
"pending_insert": 5,
"pending_verify": 3,
"imported_today": 142
},
"errors": {
"count": 2,
"recent": [
{
"order_number": "BGM-12345",
"message": "Bad SKU: INVALID-001",
"created_at": "2026-03-17 10:15:00"
}
]
}
}
Disputes
Process PayArc Disputes
POST /wp-json/gsm-middleware/v1/disputes/process
Runs the PayArc dispute processing pipeline. Reads unprocessed webhooks from rm_webhooks, matches each to an NMI transaction, stores a linkage, and submits a chargeback to Signifyd.
Parameters:
| Parameter | Type | Default | Description |
|---|---|---|---|
limit | integer | 10 | Max webhooks to process (1–200) |
test | boolean | false | Return raw array without side effects |
Response:
{
"success": true,
"data": {
"processed": 3,
"linked": 3,
"signifyd_submitted": 2,
"errors": 0,
"details": [
{
"success": true,
"webhook_id": 42,
"case_id": "CASE-12345",
"mid": "567000000025411",
"nmi_transaction_id": "8765432109",
"order_number": "BGM-10001",
"linked": true,
"signifyd_submitted": true
}
]
}
}
See PayArc Dispute Processing for full configuration and troubleshooting details.
Receive PayArc Webhook
POST /wp-json/gsm-middleware/v1/webhooks/payarc
Public endpoint that accepts incoming PayArc dispute webhooks and stores them in rm_webhooks for later processing by Process PayArc Disputes.
Authentication: None (public). PayArc does not provide a signing secret. Secure this endpoint with IP whitelisting at the firewall / WAF level — PayArc webhook source IP is 184.73.45.255.
Request body: Raw JSON payload sent by PayArc.
Success response (HTTP 202):
{
"success": true,
"message": "Webhook received.",
"webhook_id": 123
}
Duplicate response (HTTP 200 — idempotent re-delivery acknowledged):
{
"success": true,
"message": "Webhook already received."
}
Error responses:
| Status | Code | Condition |
|---|---|---|
400 | empty_payload | Request body is empty |
400 | invalid_json | Body is not valid JSON |
500 | db_error | Database insert failed |
See PayArc Webhook Receiver for the full two-step flow and configuration details.
Error Responses
Standard Error Format
{
"code": "rest_forbidden",
"message": "Sorry, you are not allowed to do that.",
"data": {
"status": 403
}
}
Common Error Codes
| Code | Status | Description |
|---|---|---|
rest_forbidden | 403 | Insufficient permissions |
rest_invalid_param | 400 | Invalid parameter value |
rest_not_found | 404 | Resource not found |
rest_cannot_create | 500 | Failed to create resource |
rest_cannot_update | 500 | Failed to update resource |
Rate Limiting
No rate limiting is currently enforced, but excessive requests may be throttled by WordPress or server configuration.
Versioning
The API version is included in the URL (/v1/). Breaking changes will increment the version number.
Examples
JavaScript (Fetch API)
// Get all sites
async function getSites() {
const response = await fetch('/wp-json/gsm-middleware/v1/sites', {
headers: {
'X-WP-Nonce': wpApiSettings.nonce
}
});
return await response.json();
}
// Create a site
async function createSite(siteData) {
const response = await fetch('/wp-json/gsm-middleware/v1/sites', {
method: 'POST',
headers: {
'Content-Type': 'application/json',
'X-WP-Nonce': wpApiSettings.nonce
},
body: JSON.stringify(siteData)
});
return await response.json();
}
PHP (WordPress HTTP API)
// Get all sites
$response = wp_remote_get(
rest_url( 'gsm-middleware/v1/sites' ),
[
'headers' => [
'X-WP-Nonce' => wp_create_nonce( 'wp_rest' )
]
]
);
$sites = json_decode( wp_remote_retrieve_body( $response ), true );
// Create a site
$response = wp_remote_post(
rest_url( 'gsm-middleware/v1/sites' ),
[
'headers' => [
'Content-Type' => 'application/json',
'X-WP-Nonce' => wp_create_nonce( 'wp_rest' )
],
'body' => wp_json_encode( $site_data )
]
);
cURL
# Get all sites
curl -X GET \
-H "X-WP-Nonce: your-nonce-here" \
https://yoursite.com/wp-json/gsm-middleware/v1/sites
# Create a site
curl -X POST \
-H "Content-Type: application/json" \
-H "X-WP-Nonce: your-nonce-here" \
-d '{"name":"New Store","platform":"bigcommerce",...}' \
https://yoursite.com/wp-json/gsm-middleware/v1/sites
Next Steps
- AJAX Endpoints - Admin panel AJAX handlers
- Control Panel - Using the admin interface
- PayArc Dispute Processing - Dispute pipeline setup and usage
- Testing - Test API integrations