Public API

API reference for protected checkout.

Merchant-facing endpoints authenticate with an EnsureBack API key, validate your checkout domain, create Stripe Checkout Sessions, and bind a policy snapshot used by downstream protection workflows.

Endpoint

POST /api/public/protected-checkout

Creates a Stripe Checkout Session on the merchant’s connected Stripe account and returns a redirect URL.

Open endpoint docs View OpenAPI

Base URL

https://ensureback.com

Use production API keys only from your backend. Never expose secret merchant API keys in frontend code.

Authentication

Headers

Authorization: Bearer <ENSUREBACK_API_KEY>

# Alternative:
x-ensureback-api-key: <ENSUREBACK_API_KEY>

Success shape

Response

{
  "ok": true,
  "protectedCheckoutLineItem": {
    "type": "stripe",
    "price": "price_123",
    "quantity": 1
  },
  "checkout": {
    "id": "cs_test_123",
    "url": "https://checkout.stripe.com/c/pay/cs_test_123"
  },
  "protectedPayment": {
    "id": "pp_123",
    "status": "payment_pending",
    "policyId": "pol_abc",
    "snapshotId": "snap_001"
  }
}

Request rules

API key must belong to the merchant account.

Origin or Referer must resolve to a whitelisted website.

successUrl and cancelUrl hosts must match the approved origin host.

Stripe account must be connected and ready.

An active policy snapshot must be resolvable.

Line items must reference valid Stripe Price IDs.

Common errors

400

Invalid request body, redirect host mismatch, or missing required fields.

401

Missing or invalid API key.

403

Origin domain is not whitelisted for this merchant.

409

Merchant Stripe account or active policy is not ready.

500

Unexpected server-side failure.