Public integration overview

A complete storefront with a controlled integration boundary.

PUPMKT is a connector-ready marketplace frontend. It keeps the browser experience stable while approved partner services remain authoritative for identity, inventory, commerce, fulfillment, and other live decisions.

Frontend 1.0.12 connector-readyConnections in standbyControlled disclosure
2.1.0API contract
95provider-neutral paths
37browser commands mapped

Full API contract 2.1.0, all 114 documented operations, schema catalogue, browser-command mapping, mock environment, integration examples and contract-test package are available to qualified partners upon request.

System context

One browser boundary. Authoritative systems stay behind it.

The public site exposes a stable customer interface and a same-origin gateway. Credentials, business rules, and private service locations remain on trusted server infrastructure.

  1. 1
    PUPMKT browser experience

    Search, listings, accounts, cart, checkout handoff, orders, selling, stores, and digital eligibility.

  2. 2
    Same-origin gateway

    Accepts browser requests, carries the approved session, and prevents partner credentials from entering frontend code.

  3. 3
    Partner API boundary

    Maps the provider-neutral PUPMKT contract to approved services without exposing nonpublic service locations.

  4. 4
    Authoritative systems

    Own identity, inventory, pricing, payments, orders, fulfillment, support, and approved transfer decisions.

System context from customer action to the system of record. The gateway is the browser's only integration boundary.

Request flow

Every live result has an accountable source.

Reads and commands follow the same controlled path, so loading, authorization, conflicts, and outages can be represented honestly.

  1. 01
    User action

    A customer or authorized workforce user starts a visible action.

  2. 02
    Same-origin request

    The browser sends the minimum validated projection to the PUPMKT gateway.

  3. 03
    Identity and permission

    The server establishes the actor and enforces role, scope, and resource ownership.

  4. 04
    Authoritative decision

    The responsible partner system reads or changes the record and returns its current version.

  5. 05
    Safe projection

    The gateway returns a contract-valid response or a stable, user-safe error with a correlation reference.

No synthetic success in connected mode. If a remote catalog, cart, checkout, order, or identity service fails, PUPMKT shows an unavailable or retry state. It never silently substitutes synthetic sellable inventory or invents an authoritative transaction.

Supported business domains

A focused contract around the visible product.

Contract 2.1 defines 95 provider-neutral paths, 114 documented operations, and 37 named browser-command mappings. The boundary follows real frontend workflows instead of an inflated speculative endpoint count.

Discover

Catalog, search, and listings

Versioned categories, browse and search results, listing detail, seller summaries, availability, pricing, condition, and approved media. Qualified employee roles can govern category records without making the browser authoritative.

Buy

Cart, checkout, and orders

Versioned cart projections, hosted checkout handoff, authoritative checkout return status, orders, fulfillment, and return context.

Sell

Listings and seller inventory

Seller profile projections, listing drafts, owner-scoped inventory, offers, auctions, bids, and marketplace messages.

Trust

Evidence, stores, and handoff

Item evidence, validation context, store-assisted fulfillment, issue handling, and Nearby results that can combine clearly labeled marketplace listings with eligible partner-retail inventory.

Identity

Sessions and account projections

Customer and workforce session projections, roles, scopes, saved items, account preferences, and deny-by-default ownership checks.

Permissioned

Payout and digital handoffs

Hosted onboarding projections and digital eligibility or transfer handoffs only when the responsible program explicitly permits them.

Identity and authorization

Customer identity and workforce identity remain separate.

PUPMKT consumes a minimal session projection. Authentication is supplied through an approved identity handoff; every protected decision is authorized again on the server.

Customer identity

Marketplace ownership

Supports account, buyer, and seller experiences. The session identifies the actor, while the server checks ownership of profiles, carts, listings, messages, and orders before returning or changing data.

Workforce identity

Enterprise access

Uses a separate enterprise identity boundary and narrowly scoped session projection. Directory credentials never enter PUPMKT forms, and customer sessions do not become workforce sessions.

  • Server-enforced roles, scopes, tenant or location scope, and object ownership
  • Secure browser session with no partner secret or directory credential stored in frontend code
  • Deny-by-default behavior when identity, permission, or an authoritative dependency cannot be verified

Operating modes

Visible in standby. Authoritative when connected.

The mode changes the source of truth, not the product's navigation or visual hierarchy.

Standby mode

Safe, browseable frontend

Live capabilities are closed. The interface can demonstrate category governance, Nearby retail presentation, and the complete customer surface, but it does not claim that accounts, store inventory, payments, orders, payouts, store decisions, or digital transfers are operating.

Connected remote mode

Partner-backed operations

Only accepted capabilities are enabled. Every public category, listing, store-stock fact, price, and successful command comes from an authoritative partner service through the same-origin gateway.

Representative projections

Small browser shapes, complete authoritative meaning.

These sanitized summaries show the information each screen needs. They are not the full schema catalogue or endpoint reference.

Session

{ authenticated, actorType, roles, scopes, expiresAt }

Enough to render the current actor and request permitted actions without exposing provider tokens.

Catalog page

{ items, nextCursor, appliedFilters }

A stable result window with public availability and discovery context.

Listing

{ id, title, condition, price, seller, fulfillment, version }

The current item, seller, evidence, price, delivery choices, and concurrency version.

Cart

{ id, items, authoritativeTotals, version }

Server-priced entries, eligible fulfillment choices, totals, and a version for safe updates.

Checkout

{ sessionReference, status, expiresAt }

An opaque hosted-checkout handoff. A browser redirect alone never proves payment or order creation.

Order

{ id, status, items, total, fulfillment, timeline, version }

An ownership-filtered view of the authoritative order and customer-safe progress.

Sanitized examples

Conventional HTTP, ordinary engineering tools.

These abbreviated examples use synthetic identifiers and nonfunctional placeholders. Qualified documentation supplies complete schemas, errors, examples, and executable tests.

Read a catalog page

GET /api/v1/listings?category=retro-games&limit=2
Accept: application/json

200 OK
{
  "items": [
    {
      "id": "listing_demo_001",
      "title": "Synthetic game listing",
      "condition": "excellent",
      "price": { "amountCents": 4299, "currency": "USD" }
    }
  ],
  "nextCursor": null
}

Start hosted checkout

POST /api/v1/checkout-sessions
Content-Type: application/json
Idempotency-Key: [unique intent key]

{
  "cartId": "cart_demo_001",
  "expectedCartVersion": 4,
  "fulfillmentMethod": "shipment"
}

201 Created
{
  "checkoutSessionId": "checkout_demo_001",
  "status": "pending",
  "checkoutDestination": "[approved hosted checkout URL]"
}

Reliability model

Safe retries, explicit errors, compatible change.

The public overview describes the guarantees without publishing implementation-specific security or operational details.

Idempotency

Commands that could duplicate state use a caller-stable intent key. Exact replays return the established result; mismatched reuse is rejected instead of creating a second action.

Webhooks

Partner event delivery is authenticated, replay-aware, and idempotently processed. Duplicate and out-of-order delivery are expected; reconciliation remains available when delivery is delayed.

Errors

Failures use stable machine codes, a user-safe summary, a correlation reference, and clear retry guidance. Private dependency details and stack traces are not returned to the browser.

Versioning

Contract 2.1.0 is the current compatibility boundary. Its category-governance operations and partner-retail Nearby projection are additive; breaking field, operation, or meaning changes still require a new major version and migration evidence.

Connected-pilot dependencies

Partner-owned systems supply live authority.

PUPMKT supplies the frontend boundary and integration contract. A connected pilot requires approved owners and test services for the capabilities placed in scope.

  • Customer identity provider and session handoff
  • Workforce identity provider when category governance or workforce access is in scope
  • Catalog, marketplace inventory, partner-retail inventory, price, listing, and approved media sources
  • Hosted payment and checkout provider
  • Order, fulfillment, return, and reconciliation systems
  • Seller onboarding and payout provider when enabled
  • Support, notification, and approved store systems
  • Publisher or game systems for any permitted digital handoff

Narrow seven-day pilot

Prove one browse-to-order path before expanding scope.

This is an integration exercise for a controlled test cohort. It is not a production launch, public money-movement approval, store rollout, or claim that every partner system is already operating.

  1. Day 1

    Freeze scope

    Name owners, test data, one region, one catalog slice, the authoritative systems, acceptance evidence, and rollback authority.

  2. Days 2-3

    Connect discovery and identity

    Map category, listing, and any in-scope partner-retail projections, then establish a customer test session with ownership and denial checks.

  3. Days 4-5

    Connect commerce

    Wire the server cart, hosted test checkout, authoritative return status, and order projection with safe retries.

  4. Days 6-7

    Test and decide

    Exercise failure, accessibility, monitoring, disablement, rollback, and reconciliation before recording a pilot decision.

Production remains a separate decision. Legal, security, privacy, payments, operations, support, reliability, accessibility, and business owners must accept their launch responsibilities before live use.

Qualified-partner access

Evaluate the complete contract through a controlled package.

The qualified package is version-specific and can include a searchable rendered reference, full schemas, all 37 browser-command mappings, workflow guides, sanitized working examples, a deterministic mock environment, contract tests, a package manifest, and checksums. Access is individually approved, time-bounded, logged, and revocable.

The API contract appears structurally suitable for conventional partner integration, but independent no-AI usability verification remains pending.