Skip to main content
RapidDev - Software Development Agency
flutterflow-integrationsFlutterFlow API Call

PrestaShop

Connect FlutterFlow to PrestaShop using the Webservice API with FlutterFlow API Calls. The critical fix: always append ?output_format=JSON to every request — PrestaShop returns XML by default, which FlutterFlow's JSON-path mapper cannot parse. Use Basic Auth with your Webservice key as the username and an empty password. Proxy write operations through a Firebase Cloud Function to keep your key off the device.

What you'll learn

  • How to enable the PrestaShop Webservice and create a scoped API key in your store admin
  • Why you must append ?output_format=JSON to every Webservice request and how to wire it as a variable
  • How to configure Basic Auth with key-as-username and empty password in FlutterFlow
  • How to map PrestaShop product and order JSON responses to FlutterFlow ListViews using JSON Paths
  • How to proxy order-write requests through a Firebase Cloud Function to protect your Webservice key
Book a free consultation
4.9Clutch rating
600+Happy partners
17+Countries served
190+Team members
Intermediate16 min read45 minutesE-commerceLast updated July 2026RapidDev Engineering Team
TL;DR

Connect FlutterFlow to PrestaShop using the Webservice API with FlutterFlow API Calls. The critical fix: always append ?output_format=JSON to every request — PrestaShop returns XML by default, which FlutterFlow's JSON-path mapper cannot parse. Use Basic Auth with your Webservice key as the username and an empty password. Proxy write operations through a Firebase Cloud Function to keep your key off the device.

Quick facts about this guide
FactValue
ToolPrestaShop
CategoryE-commerce
MethodFlutterFlow API Call
DifficultyIntermediate
Time required45 minutes
Last updatedJuly 2026

Building a FlutterFlow App Powered by Your PrestaShop Store

PrestaShop is one of the most widely deployed open-source e-commerce platforms, running on self-hosted PHP servers with a built-in Webservice API available at /api/. For FlutterFlow builders, this opens up mobile and web companion apps: a customer-facing catalog browser, an order-tracking app for staff, or an inventory dashboard for store owners. The integration is straightforward once you understand a critical quirk — the Webservice returns XML by default, and FlutterFlow's JSON-path response mapper cannot parse XML. Every single API Call must include ?output_format=JSON in the URL, or you will receive an XML blob that maps to nothing.

Authentication uses Basic Auth, but not the typical username/password pairing. PrestaShop treats your Webservice key as the username and expects an empty string for the password. You base64-encode the string 'key:' (note the trailing colon before the empty password) and pass it as the Authorization header. Since FlutterFlow compiles to native Flutter code that runs on the user's device, any value placed in an API Call header is embedded in the distributed app. For read-only catalog GETs over HTTPS, this is acceptable since the key scope limits damage. However, for any write operation — creating an order, updating stock, modifying a product — you should route the call through a Firebase Cloud Function where the key is stored as an environment variable, never shipped to the user's phone.

PrestaShop is open-source and free to use; your only cost is self-hosting. The Webservice API has no rate limit enforced in core PrestaShop, but your hosting provider's server capacity and any configured request throttling will apply. Production stores must run over HTTPS — Basic Auth over plain HTTP is insecure and PrestaShop itself may block it.

Integration method

FlutterFlow API Call

FlutterFlow connects to PrestaShop through its built-in API Calls panel using the PrestaShop Webservice API. You create an API Group pointing at your store's /api/ endpoint, configure Basic Auth with the Webservice key as the username and an empty password, and append ?output_format=JSON to every request so FlutterFlow receives parseable JSON instead of XML. Read-only product and order data can be fetched directly from the client, while order creation and stock updates should go through a Firebase Cloud Function proxy to protect your Webservice key.

Prerequisites

  • A PrestaShop store running on a server with HTTPS enabled (HTTP-only stores cannot use Basic Auth securely)
  • Administrator access to the PrestaShop back office (Advanced Parameters → Webservice)
  • A FlutterFlow project open in the browser — no local installation needed
  • A Firebase project (Blaze plan) if you plan to proxy write operations through a Cloud Function
  • Basic familiarity with FlutterFlow's API Calls panel and JSON path notation

Step-by-step guide

1

Enable the PrestaShop Webservice and create a scoped API key

Log in to your PrestaShop back office (yourdomain.com/admin). In the left navigation, go to Advanced Parameters → Webservice. At the top of the page, make sure the 'Enable PrestaShop Webservice' toggle is switched ON and that 'Enable CGI mode' is OFF unless your hosting requires it. Click Save to activate the API. Next, click the + Add new webservice key button at the top-right of the Webservice page. In the form that appears: in the Key field, click the Generate button — PrestaShop will create a long alphanumeric key for you. Give it a Description like 'FlutterFlow App'. Under Permissions, scroll through the resource list and check the boxes for the resources your app needs. For a read-only catalog app, enable GET on 'products', 'categories', and 'orders'. For an app that creates orders, also enable POST/PUT on 'orders'. Principle of least privilege applies — only grant what your app will actually call. Click Save. Note the generated key — you will not be able to view it again in full from the admin panel. Copy it to a secure location. Your Webservice is now active and accessible at https://yourdomain.com/api/.

Pro tip: If your store runs on shared hosting and the Webservice returns 'Bad credentials' even with the correct key, your hosting provider may have mod_security or similar rules blocking Authorization headers. Ask your host to whitelist the /api/ path.

Expected result: The Webservice page shows 'Webservice enabled' and your new key appears in the key list with its permissions. Visiting https://yourdomain.com/api/?output_format=JSON in a browser with Basic Auth shows a JSON list of available resources.

2

Build the Basic Auth header: base64-encode 'key:' with empty password

PrestaShop's Webservice uses HTTP Basic Auth in a non-standard way. The username is your Webservice key and the password is empty. To construct the Authorization header, you base64-encode the string 'key:' where key is your actual Webservice key followed by a colon and nothing after it. For example, if your key is ABC123XYZ, you encode the string 'ABC123XYZ:' (with the colon, no password). The result is a base64 string like QUJDMTIYWE5aOg==. The Authorization header value is: Basic QUJDMTIYWE5aOg== You can obtain this base64 value using any online base64 encoder — just paste 'YOURKEY:' (with the colon) and copy the output. Keep this encoded string handy for the next step. IMPORTANT: Do not hardcode this value as a literal string in the FlutterFlow API Group header. Instead, store it in FlutterFlow's App State as a string constant (for a read-only public catalog key), or pass it as a variable. For write operations, this key should live only in your Firebase Cloud Function environment — never in client Dart code. If someone decompiles your app and finds a read-only key, they can at most read your catalog. A write-capable key would let them create or modify orders.

Pro tip: A common mistake is encoding just 'YOURKEY' without the trailing colon. This produces a different base64 string and results in a 401 Unauthorized response from PrestaShop. Always include the colon.

Expected result: You have a valid base64 string representing 'key:' (with your Webservice key and trailing colon). This will become the value after 'Basic ' in the Authorization header.

3

Create the API Group and API Calls in FlutterFlow with ?output_format=JSON

In FlutterFlow, click API Calls in the left navigation panel. Click + Add, then Create API Group. Name it 'PrestaShop'. Set the Base URL to https://yourdomain.com/api (replace with your actual store domain — no trailing slash). Under Headers, click + Add Header. Set the key to Authorization and the value to Basic [your-base64-string]. You can store the base64 value as a variable: click the Variable icon next to the value field, then create a new variable called prestashopAuthHeader. This keeps the header value out of the exported codebase. IMPORTANT: Under the Base URL field, add a Query Parameter: key output_format, value JSON. This parameter will be appended to every API Call in this group automatically. Alternatively, you can add ?output_format=JSON at the end of each individual endpoint path — but adding it once at the group level is cleaner and ensures you never forget it on a specific call. Now click + Add API Call within the PrestaShop group. Name it 'Get Products'. Set Method to GET and the endpoint path to /products. In the Response & Test tab, paste a sample JSON response from your store (you can get it by visiting https://yourdomain.com/api/products?output_format=JSON in a browser). Click Generate JSON Paths — FlutterFlow will create path mappings like $.products[*].id, $.products[*].name, $.products[*].price. Add a second API Call named 'Get Orders' with endpoint /orders, and repeat the JSON path generation with a sample orders response. Add a third call 'Get Order Detail' with endpoint /orders/[id] where [id] is a URL variable — in FlutterFlow, create a variable called orderId and reference it as /orders/{{orderId}}.

api_call_config.json
1{
2 "api_group": "PrestaShop",
3 "base_url": "https://yourdomain.com/api",
4 "headers": {
5 "Authorization": "Basic {{prestashopAuthHeader}}"
6 },
7 "query_params": {
8 "output_format": "JSON"
9 },
10 "api_calls": [
11 {
12 "name": "Get Products",
13 "method": "GET",
14 "endpoint": "/products",
15 "json_paths": [
16 "$.products[*].id",
17 "$.products[*].name[0].value",
18 "$.products[*].price",
19 "$.products[*].quantity"
20 ]
21 },
22 {
23 "name": "Get Orders",
24 "method": "GET",
25 "endpoint": "/orders",
26 "json_paths": [
27 "$.orders[*].id",
28 "$.orders[*].reference",
29 "$.orders[*].current_state",
30 "$.orders[*].total_paid"
31 ]
32 },
33 {
34 "name": "Get Order Detail",
35 "method": "GET",
36 "endpoint": "/orders/{{orderId}}",
37 "variables": [{ "name": "orderId", "type": "integer" }]
38 }
39 ]
40}

Pro tip: PrestaShop product names are returned as an array of language objects (e.g. $.products[*].name[0].value) not a flat string. Use the [0].value path for the default language, or add a filter variable if your store is multilingual.

Expected result: The PrestaShop API Group appears in FlutterFlow's API Calls panel. The Test tab for 'Get Products' returns a parsed JSON response and FlutterFlow shows generated JSON Path fields like $.products[*].id ready to bind to widgets.

4

Bind product and order data to FlutterFlow ListViews

Now that your API Calls are defined and JSON Paths are generated, you can bind the data to UI widgets. Open the page in FlutterFlow where you want to show your PrestaShop product list. Add a ListView widget to the canvas. Select the ListView, open the Backend Query panel on the right, choose API Call as the data source, select PrestaShop → Get Products, and click Confirm. FlutterFlow will ask you which JSON Path array to use as the list — select $.products[*] or the root products array. Each item in the list view now has access to the fields you mapped: id, name, price, quantity. Add child widgets inside the ListView: a Text widget for the product name, bound to the name[0].value JSON path; a Text widget for the price; and an Image widget if your response includes image_link. For the price field, PrestaShop returns prices as strings formatted with tax — check your response to decide whether to display as-is or convert. For the Orders screen, repeat the same process: ListView → Backend Query → PrestaShop → Get Orders. Bind order reference, current_state (numeric ID representing the order status — you may want to map it to labels like 'Processing', 'Shipped' using a conditional in FlutterFlow), and total_paid to Text widgets. For pagination, add a variable page to your backend query and wire it to a 'Load More' Button action that increments the variable. In the API Call URL, add a query parameter limit with value '20,{{page}}' where the PrestaShop pagination format is limit=offset,count — 20,0 returns items 0-19, 20,20 returns items 20-39.

Pro tip: PrestaShop's current_state for orders is a numeric ID from 1-12 (1=Awaiting payment, 2=Payment accepted, 4=Shipped, etc.). Create a helper function in FlutterFlow's Custom Code to map these integers to human-readable labels.

Expected result: Your FlutterFlow app displays a scrollable list of PrestaShop products with names and prices. The orders screen shows a list of orders with their references and statuses. Tapping an order navigates to the detail screen populated by the Get Order Detail API Call.

5

Proxy write operations through a Firebase Cloud Function

For any operation that modifies your store — creating an order, updating stock, changing product details — the Webservice key must not be embedded in the client app. Instead, you deploy a Firebase Cloud Function that holds the key in its environment configuration and accepts calls from your FlutterFlow app. In the Firebase console, go to your project → Functions → Get Started (if you haven't already, upgrade to the Blaze pay-as-you-go plan, which is required for outbound network calls from Cloud Functions). Use the Firebase console's Functions editor or deploy via the Firebase CLI from your local machine. The Cloud Function receives a request from FlutterFlow (which sends the customer's cart data as a JSON body), validates it, then calls the PrestaShop Webservice with the secret key stored as a Firebase environment variable — never passed from the client. The function returns the new order ID and confirmation back to FlutterFlow. In FlutterFlow, create a new API Group named 'PrestaShopProxy' with the base URL of your Cloud Function (e.g. https://us-central1-yourproject.cloudfunctions.net). Add an API Call named 'Create Order' with method POST. Wire it to an Action in the checkout flow: when the user taps 'Place Order', trigger this API Call with the cart data as request body. Map the returned order ID to App State for display on the confirmation screen. This pattern means only Firebase (a secure server environment) ever holds or uses the Webservice key. Your FlutterFlow client never sees it.

index.js
1// Firebase Cloud Function: createPrestaShopOrder
2// Deploy to Firebase Functions (Node.js 18+)
3const functions = require('firebase-functions');
4const fetch = require('node-fetch');
5
6// Store key in Firebase env: firebase functions:config:set prestashop.key="YOURKEY" prestashop.url="https://yourdomain.com"
7const PS_KEY = functions.config().prestashop.key;
8const PS_URL = functions.config().prestashop.url;
9
10const authHeader = 'Basic ' + Buffer.from(PS_KEY + ':').toString('base64');
11
12exports.createPrestaShopOrder = functions.https.onRequest(async (req, res) => {
13 // Optional: verify request is from your FlutterFlow app (e.g. check a shared secret header)
14 if (req.method !== 'POST') {
15 return res.status(405).send('Method Not Allowed');
16 }
17
18 const orderPayload = req.body; // JSON cart data from FlutterFlow
19
20 try {
21 const response = await fetch(
22 `${PS_URL}/api/orders?output_format=JSON`,
23 {
24 method: 'POST',
25 headers: {
26 'Authorization': authHeader,
27 'Content-Type': 'application/json',
28 },
29 body: JSON.stringify(orderPayload),
30 }
31 );
32
33 const data = await response.json();
34 res.status(response.status).json(data);
35 } catch (err) {
36 console.error('PrestaShop order creation failed:', err);
37 res.status(500).json({ error: 'Order creation failed' });
38 }
39});

Pro tip: Enable CORS on your Cloud Function if your FlutterFlow app targets the web platform. Add the cors npm package and wrap the handler: const cors = require('cors')({ origin: true }); then wrap your handler in cors(req, res, () => { ... });

Expected result: Your Firebase Cloud Function is deployed and accessible at its HTTPS URL. The FlutterFlow 'Create Order' API Call successfully posts to the function, which creates an order in PrestaShop and returns the order ID. No Webservice key appears anywhere in the FlutterFlow project or exported Dart code.

Common use cases

Customer mobile catalog and order tracking app

A Flutter app that lets your PrestaShop customers browse the product catalog, view prices and stock levels, and track the status of their existing orders — all pulling live data from the Webservice API. The app surfaces order progress (awaiting payment, processing, shipped) using JSON path bindings on /orders/{id}.

FlutterFlow Prompt

Build a product catalog screen that lists products with name, price, and thumbnail from PrestaShop, plus an order history screen that shows order status for a given customer ID.

Copy this prompt to try it in FlutterFlow

Store staff order management dashboard

An internal mobile app for store employees that lists new and pending orders, allows staff to view order line items, and marks orders as processed. Order status updates go through a Firebase Cloud Function proxy so the Webservice key is never exposed in the client app.

FlutterFlow Prompt

Create an order management app for store staff that lists all pending orders, shows line items and shipping address, and has a button to mark an order as shipped by calling a backend proxy.

Copy this prompt to try it in FlutterFlow

Inventory monitoring app

A lightweight app for store owners that displays current stock quantities across all products, highlights items below a threshold, and allows restocking notes. Product inventory data is fetched from /products?output_format=JSON and filtered in FlutterFlow conditional logic.

FlutterFlow Prompt

Build an inventory dashboard that fetches all products from PrestaShop, displays name and quantity in stock, and highlights products where quantity falls below 10 units.

Copy this prompt to try it in FlutterFlow

Troubleshooting

FlutterFlow API Call returns data but no JSON Paths are populated — all fields show empty

Cause: The API is returning XML instead of JSON because ?output_format=JSON is missing from the request URL or query parameters.

Solution: In the FlutterFlow API Group, make sure output_format=JSON is added as a Query Parameter at the group level, or add ?output_format=JSON explicitly to each API Call endpoint path. In the Response & Test tab, paste the actual response — if it starts with '<?xml', the parameter is missing. Add it, re-test, and regenerate JSON Paths.

401 Unauthorized response from PrestaShop Webservice

Cause: The Basic Auth header is malformed — either the base64 string was generated without the trailing colon after the key (correct: 'KEY:' not 'KEY'), or the Authorization header value is missing the 'Basic ' prefix.

Solution: Re-generate the base64 value by encoding 'YOURKEY:' (key followed by a colon, no password). Verify the Authorization header in FlutterFlow reads exactly 'Basic YOURBASE64STRING'. Also confirm the Webservice key is active in PrestaShop Advanced Parameters → Webservice and has not been deleted or disabled.

403 Forbidden on a specific endpoint like /orders even though the key is valid

Cause: The Webservice key was created without GET permission for the 'orders' resource. PrestaShop enforces per-resource permission scoping — a valid key with no 'orders' permission returns 403.

Solution: Go to PrestaShop back office → Advanced Parameters → Webservice → click the key to edit it → scroll to Permissions → check the GET checkbox for 'orders' → Save. The same applies to any resource your app calls. Re-test the API Call in FlutterFlow after saving the permission change.

XMLHttpRequest error on web builds when testing in FlutterFlow Run mode

Cause: CORS is not configured on the PrestaShop server for browser-origin requests. Native mobile builds bypass CORS (it is enforced only by browsers), so the error only appears in web builds or FlutterFlow's browser-based Run mode.

Solution: Add CORS headers to your PrestaShop Apache/Nginx config for the /api/ path: 'Access-Control-Allow-Origin: *' and 'Access-Control-Allow-Headers: Authorization, Content-Type'. For production, restrict the origin to your specific domain. Alternatively, for web builds, route all API traffic through your Firebase Cloud Function which handles CORS explicitly.

Best practices

  • Always add ?output_format=JSON as a group-level query parameter — a single omission on one API Call will result in an unparseable XML response that is difficult to debug in production
  • Create Webservice keys with the minimum required permissions: a key for the catalog browser app needs only GET on products and categories; never issue a full-access key to a client-side app
  • Never hardcode the base64 Basic Auth string as a plain literal in the API Call header — store it in FlutterFlow App State or, for write-capable keys, keep it exclusively in Firebase Cloud Function environment config
  • Proxy all write operations (POST /orders, PUT /products) through a Firebase Cloud Function — a Webservice key with write permissions embedded in client Dart is a serious security risk
  • Use PrestaShop's pagination query format ?limit=offset,count (e.g. ?limit=0,20 for the first 20 items) and wire offset as a FlutterFlow variable to implement infinite scroll or load-more pagination
  • Your PrestaShop store must run over HTTPS in production; Basic Auth over HTTP transmits credentials in base64 (not encrypted) and PrestaShop may refuse the connection entirely
  • Test the API Call in FlutterFlow's Response & Test tab before binding to UI widgets — paste a real sample response from your store to generate accurate JSON Paths for multilingual name arrays and nested address objects
  • For staff-facing apps, consider adding Firebase Authentication to the FlutterFlow app and verifying the Firebase ID token in your Cloud Function proxy before allowing any PrestaShop write operations

Alternatives

Frequently asked questions

Does FlutterFlow support PrestaShop natively?

No, there is no built-in PrestaShop integration in FlutterFlow. You connect using FlutterFlow's general-purpose API Calls panel, which supports any REST API. The configuration is manual but straightforward — you create an API Group pointing at your PrestaShop Webservice URL and add your auth header. The one non-obvious step is appending ?output_format=JSON to every request.

Why does every PrestaShop API Call need ?output_format=JSON?

The PrestaShop Webservice API was designed before JSON became the web standard, and it defaults to returning XML. FlutterFlow's response mapper only understands JSON — it cannot parse XML responses, so all JSON Path bindings will be empty without the output_format parameter. Add it as a group-level query parameter in FlutterFlow and it will be automatically appended to every API Call in that group.

Is it safe to include the Webservice key in the FlutterFlow app?

A read-only key (GET permissions only on products and categories) over HTTPS carries limited risk — an attacker who finds it can only read your public catalog, which is already public on your website. However, any key with write permissions (creating orders, modifying products, accessing customer data) must never be placed in client code. Route those operations through a Firebase Cloud Function that holds the key as a server-side environment variable.

Can I use this integration for a customer-facing shopping app with checkout?

You can build product browsing and order tracking client-side. For checkout and order creation, you need a backend proxy (Firebase Cloud Function) because the Webservice key required to POST /orders must not be embedded in the app. The Cloud Function receives the cart from FlutterFlow, calls PrestaShop with the key, and returns the order confirmation. If you need help architecting this, RapidDev's team builds FlutterFlow integrations like this every week — free scoping call at rapidevelopers.com/contact.

What pagination format does the PrestaShop Webservice use?

PrestaShop uses a non-standard ?limit=offset,count format — for example, ?limit=0,20 returns the first 20 items, ?limit=20,20 returns items 20-39. This differs from the ?page= and ?per_page= style used by WooCommerce. In FlutterFlow, create an integer variable for offset, default it to 0, and increment by your page size when the user taps 'Load More'. Pass the assembled string as a query parameter variable in your API Call.

My FlutterFlow web build shows a CORS error but the mobile build works fine. Why?

CORS (Cross-Origin Resource Sharing) is enforced only by web browsers, not by native iOS/Android apps. When FlutterFlow runs in a browser (including Run mode and web deployments), the browser checks for CORS headers from the PrestaShop server. Most PrestaShop servers do not add these headers by default, so browser requests to the Webservice fail with an XMLHttpRequest error while the same call from a native app succeeds. The fix is to either add CORS headers to your server config for the /api/ path or proxy all web traffic through a Firebase Cloud Function that handles CORS.

RapidDev

Talk to an Expert

Our team has built 600+ apps. Get personalized help with your project.

Book a free consultation

Integrations are where projects stall

We wire FlutterFlow integrations like this one every week — auth, webhooks, edge cases included. Fixed-price builds from $13K, delivered in 6–10 weeks.

Talk to an integration engineer

We put the rapid in RapidDev

Need a dedicated strategic tech and growth partner? Discover what RapidDev can do for your business! Book a call with our team to schedule a free, no-obligation consultation. We'll discuss your project and provide a custom quote at no cost.