The Storefront API is read-mostly and does not use authentication tokens. Instead, the site is identified by its UUID in the URL path, and write endpoints are protected by site-level spam protection.
Site identification
Every Storefront API request includes the site UUID as the first path segment after /public:
GET https://api.lynkow.com/public/{siteId}/contentsFind your site UUID in the Lynkow admin under Settings > Site.
Allowed origins
For browser-side requests, the API enforces an Origin / Referer check against the list of allowed origins configured for your site. Configure them in the admin under Settings > Allowed origins.
Server-side calls (no Origin header) are unaffected.
Spam protection on writes
Write endpoints (form submissions, review submissions) gate every request behind one of two mechanisms:
Honeypot + timestamp (default). Include a hidden
_hpfield left empty, plus the form load timestamp. Requests that fill the honeypot or post within ~3 seconds of load are rejected.reCAPTCHA v3 (optional). When enabled per form/site, pass the token in the
recaptchaTokenfield. Lynkow verifies the token server-side.
Read endpoints are public and not gated by spam protection.
Caching
Storefront read endpoints are cached at the edge. Responses include Cache-Control headers; cached entries are purged automatically on content publish/unpublish.
Error responses
Status | Meaning |
|---|---|
| Validation error or malformed request |
| Origin not allowed, or spam protection failed |
| Site, content, or resource not found |
| Rate limit exceeded — check |