All systems operational · 99.98% uptime · 30 days

v1·api.sticky.co

Build on the loyalty layer
cannabis ops actually trust.

A REST API, signed webhooks, and a developer sandbox. Sandbox keys are free, production access is approval-gated, because cannabis means strict compliance.

Request developer access Browse API reference

NodePythonRubyGocURL

example.js

// Push a sale event, a customer just bought 2 pre-rolls
import Sticky from '@sticky/node';
const sticky = new Sticky(process.env.STICKY_KEY);

await sticky.events.create({
  type: 'order.completed',
  customer_id: 'cus_8K2xQp',
  amount_cents: 14400,
  items: [{ sku: 'cd-pre-1g-1', qty: 2 }]
});
// → triggers points award + tier eval + journey enrollment
// → fires `customer.tier_changed` webhook if applicable

What you get

Sandbox + production environments
HMAC-signed webhooks with 24h retry
Native wallet pass minting
Test phone numbers, no real SMS sent

Sandbox approval typically < 2 business days

Live API activity, last 60s

200 POST /v1/events 8ms200 POST /v1/passes 22ms200 GET /v1/customers/cus_8K2xQp 4ms201 POST /v1/webhooks 11ms200 POST /v1/events 7ms429 POST /v1/messages retry-after 1s200 GET /v1/segments 14ms200 POST /v1/passes/push 31ms200 POST /v1/events 9ms204 DELETE /v1/customers/cus_8K2xQp 12ms200 POST /v1/events 8ms200 POST /v1/passes 22ms200 GET /v1/customers/cus_8K2xQp 4ms201 POST /v1/webhooks 11ms200 POST /v1/events 7ms429 POST /v1/messages retry-after 1s200 GET /v1/segments 14ms200 POST /v1/passes/push 31ms200 POST /v1/events 9ms204 DELETE /v1/customers/cus_8K2xQp 12ms

Surface area

Everything you can read, write, and listen to.

Customers

Phone-first identity, points, tier, consent, and metadata. Idempotent upserts. PII redaction on demand.

GET /v1/customers

POST /v1/customers

GET /v1/customers/{id}

DEL /v1/customers/{id}

Events

Push orders, visits, referrals. Sticky handles points, tier eval, and journey enrollment server-side.

POST /v1/events

GET /v1/events

12 event types · ~8ms p50

Wallet passes

Mint Apple Wallet & Google Wallet passes. Push live updates that hit the lock screen in seconds.

POST /v1/passes

POST /v1/passes/{id}/push

Apple + Google native

Messaging

Send transactional email and SMS through Sticky's compliance layer. TCPA, quiet hours, and STOP all enforced.

POST /v1/messages/email

POST /v1/messages/sms

Compliance-checked at send

Segments

Read computed segments, evaluate a customer against rules, or trigger custom recompute on-demand.

GET /v1/segments

POST /v1/segments/{id}/eval

Webhooks

Subscribe to 24 event types. HMAC signed, exponential backoff, full delivery log per endpoint.

POST /v1/webhooks

GET /v1/webhooks/log

24 event types

Webhooks

Listen to what your customers actually do.

We sign every webhook with HMAC-SHA256 in the Sticky-Signature header. Failed deliveries retry 6 times over 24 hours with exponential backoff. Replay any event from the dashboard or via /v1/webhooks/log.

customer.created

customer.tier_changed

order.completed

pass.installed

journey.entered

message.delivered

See full event taxonomy

Verify signaturePayload

Node.js

import crypto from 'crypto';

export function verifySticky(req, secret) {
  const sig = req.headers['sticky-signature'];
  const body = req.rawBody;

  const expected = crypto
    .createHmac('sha256', secret)
    .update(body)
    .digest('hex');

  if (!crypto.timingSafeEqual(
    Buffer.from(sig),
    Buffer.from(expected)
  )) throw new Error('invalid signature');

  return JSON.parse(body);
}

What's shipping

Public roadmap & changelog.

We ship something every Friday. Subscribe to changelog updates and get the diff in your inbox.

Apr 28 · This week

Idempotency keys for /v1/events

Shipped

Pass an Idempotency-Key header on event creation. Replays return the original response, so retries from a failing webhook handler are safe.

v1.42.0 · View in docs

Wallet pass templates API

Shipped

Define re-usable Apple/Google pass templates programmatically. Mint passes from a template ID instead of duplicating layout JSON.

v1.41.0

In progress

GraphQL endpoint (beta)

Beta · invite-only

Read-only at first. Useful for building dashboards that aggregate customers + events + segments without three round trips. Want in?

Request beta access →

Planned · Q3

OAuth 2.0 for partner apps

Planned

Build apps that operators can install across their workspaces, standard OAuth 2.0 with scoped permissions.

Request access

Tell us what you're building.

Why we approve manually: cannabis APIs touch real customer PII, real consent records, and real wallet passes that go in real wallets. We want to know your name before we hand over the keys.

Submit this form

2 minutes. We just want context.

A real engineer reviews it

Usually within 1 business day, max 2.

You get sandbox keys

Build whatever you want against test data.

Production access when you're ready

Quick compliance review, no contract gating.

Questions? Email devs@sticky.co or jump in our Discord.

First name

Last name

Work email

We'll send your sandbox key here.

Company / project

Role

What are you building? - 1 sentence is fine

Which surfaces do you need? (select all)

Customers & events

Read/write loyalty data

Wallet passes

Mint & push updates

Webhooks

Subscribe to events

Messaging

Programmatic email/SMS

Your relationship to a licensed dispensary

Required for compliance. We won't share this with anyone.

I agree to the Developer Terms and understand sandbox keys may not be used to send messages to real consumer phone numbers.

Already approved? Open API reference →

Build on the loyalty layercannabis ops actually trust.

Everything you can read, write, and listen to.

Listen to what your customers actually do.

Public roadmap & changelog.

Tell us what you're building.

Build on the loyalty layer
cannabis ops actually trust.