API Referencev1

Authentication

Every request requires a Bearer token. Sandbox keys are prefixed sk_test_; production keys with sk_live_. Keep them server-side, never ship a live key in client code.

cURLNodePython

curl https://api.sticky.co/v1/customers \-H "Authorization: Bearer sk_test_8K2x...QpWb" \-H "Sticky-Workspace: ws_kendalls_cannabis"

Workspace header is required

Multi-location accounts must specify which workspace each request targets.

Errors & rate limits

Standard HTTP codes. Errors come back as JSON with a type, code, and human-readable message. Default rate limit is 100 req/sec per workspace.

200 OK

Success.

400 Bad Request

Validation failed.

401 Unauthorized

Missing or invalid key.

429 Too Many Requests

Slow down. Retry after header included.

POST/v1/customers

Create a customer

Creates a customer record. Phone is required (we de-dupe on it). Email is optional but enables email channels.

Body parameters

phone

string

Required. E.164 format, e.g. +13035551234.

string

Lowercased, RFC-5322 valid.

first_name

string

Optional.

consent

object

SMS/email opt-in flags + source. Required for SMS-eligible customers.

metadata

object

Up to 50 string→string pairs. Stored as-is.

RequestResponse

POST /v1/customers{"phone": "+13035551234","email": "sam@example.com","first_name": "Sam","consent": { "sms": true, "source": "in-store-kiosk" }}

RequestResponse

{"id": "cus_8K2xQp","created_at": "2026-04-29T14:08:32Z","phone": "+13035551234","tier": "bronze","points_balance": 0}

POST/v1/events

Push a loyalty event

The most common write you'll do. Event type determines points awarded, tier evaluation, and journey triggers.

type

enum

Required. One of order.completed, order.refunded, visit, referral.

customer_id

string

Required. Sticky customer ID.

amount_cents

integer

Required for order events.

items

array

Line items with sku + qty for category-level analytics.

NodePythoncURL

await sticky.events.create({type: 'order.completed',customer_id: 'cus_8K2xQp',amount_cents: 14400,items: [{ sku: 'cd-pre-1g-1', qty: 2 }]})

POST/v1/passes

Mint a wallet pass

Returns a signed install URL for both Apple Wallet and Google Wallet. The URL is single-use and expires in 24 hours.

Response

{"id": "pass_2VnQ4z","customer_id": "cus_8K2xQp","install_url": "https://wallet.sticky.co/i/2VnQ4z","apple_url": "https://wallet.sticky.co/a/2VnQ4z.pkpass","google_url": "https://pay.google.com/gp/v/save/eyJ...","expires_at": "2026-04-30T14:08:32Z"}

POST/v1/webhooks

Subscribe to events

Sticky signs every webhook with HMAC-SHA256. Signature is in the Sticky-Signature header. Retries: 6 attempts over 24 hours with exponential backoff.

Request

{"url": "https://api.yourbrand.com/sticky/webhook","events": ["customer.tier_changed","pass.installed","journey.entered"]}

Last updated · April 2026Back to dev portal →

Endpoint reference is approval-gated.

The full API reference unlocks once we’ve approved your developer application. Cannabis means strict compliance, we approve every developer manually so we know what you’re building.

Request access Back to dev portal

You can preview the structure of the docs through the blur, but you'll get redacted body parameters and no example responses until approved.

Demo state: