Public API
Merchant-facing endpoints authenticated by API key and protected by domain whitelist.
POST /api/public/protected-checkout
Create a Stripe Checkout Session on the merchant’s connected Stripe account, with EnsureBack policy snapshot binding.