To integrate Shift4Shop (formerly 3dcart) with Lovable, create a Supabase Edge Function that proxies REST API calls using your Shift4Shop Private Token stored in Cloud Secrets. This lets you build custom storefronts, product browsers, and order management tools in Lovable backed by your Shift4Shop store — without exposing your API token in frontend code. Setup takes about 40 minutes.
Build a Custom Storefront or Admin Tool for Your Shift4Shop Store in Lovable
Shift4Shop's biggest differentiator is its free enterprise-tier plan — available to US merchants who process payments through Shift4, it includes unlimited products, no transaction fees, and features that cost hundreds of dollars per month on competing platforms. If you already use Shift4Shop for your store, Lovable lets you extend it with a custom-designed React frontend or an internal admin tool that pulls live data from your store without touching the Shift4Shop theme system.
The integration follows Lovable's standard pattern for authenticated e-commerce APIs: all calls to the Shift4Shop REST API route through a Supabase Edge Function. Your Private Token — the credential that authenticates your API calls — is stored encrypted in Cloud → Secrets. The Edge Function acts as a secure proxy, forwarding requests from your React frontend to the Shift4Shop REST API at https://apirest.3dcart.com/3dCartWebAPI/v1/ and returning product catalogs, order data, and customer records.
Shift4Shop differs from BigCommerce in its pricing model: Shift4Shop is effectively free for US merchants using Shift4 as their payment processor, while BigCommerce charges monthly fees regardless of payment processor. This makes Shift4Shop particularly attractive for bootstrapped e-commerce founders who want enterprise features without the SaaS subscription cost. This guide covers the most useful API endpoints — Products, Orders, and Customers — and shows how to wire them into a Lovable app.
Integration method
Shift4Shop integration in Lovable works by routing all API calls through Supabase Edge Functions running on Deno. Your Shift4Shop Private Token is stored as an encrypted secret in Cloud → Secrets and accessed via Deno.env.get() — never exposed to the browser. The React frontend calls the Edge Function, which authenticates with the Shift4Shop REST API using Bearer token authentication and returns products, orders, and customer data.
Prerequisites
- An active Shift4Shop store (free enterprise plan available for US merchants using Shift4 payment processing, or any paid plan)
- Shift4Shop admin access to generate a REST API Private Token from your store's API settings
- Your store's Shift4Shop API base URL — this is typically https://apirest.3dcart.com/3dCartWebAPI/v1/ but may vary for older 3dcart accounts
- A Lovable project with Lovable Cloud enabled (the default for all new projects)
- Basic understanding of REST API concepts — the Shift4Shop API uses GET for reading data and PUT/POST for creating or updating records
Step-by-step guide
Generate your Shift4Shop REST API Private Token
Generate your Shift4Shop REST API Private Token
Log in to your Shift4Shop store admin panel at [yourstorename].shift4shop.com/manager. In the left navigation, go to Settings → API and click the REST API tab. If you haven't enabled the REST API before, click Enable REST API. Shift4Shop will display your store's REST API key — this is called the Private Token and it's the credential used for Bearer token authentication. Copy the Private Token — it's a long alphanumeric string. Also note your store's base URL for API calls. For most Shift4Shop stores this is https://apirest.3dcart.com/3dCartWebAPI/v1/, but if your store was originally a 3dcart account migrated to Shift4Shop, verify this in the API settings page. The API key section also shows your Store URL which you'll need for constructing correct API endpoints. Note that Shift4Shop's REST API uses two authentication headers: PrivateKey (your store's secret token) and Token (an optional public key). For server-side Edge Function usage, you only need the PrivateKey. The API documentation is available at apirest.3dcart.com where you can browse all endpoints and their expected request/response formats before building your integration.
Pro tip: If you don't see a REST API tab in Settings → API, your Shift4Shop account may need to be on a paid plan or the free enterprise plan with Shift4 processing active. Contact Shift4Shop support to confirm REST API access is included in your plan.
Expected result: You have a Shift4Shop Private Token (a long string like 'abc123def456...') copied and ready to store in Cloud Secrets.
Store credentials in Cloud Secrets
Store credentials in Cloud Secrets
With your Shift4Shop Private Token in hand, store it securely in Lovable's Cloud Secrets panel. In your Lovable project, click the '+' icon next to the Preview panel at the top of the screen to open the Cloud tab. Inside the Cloud tab, click Secrets in the left sidebar. Click Add Secret to create a new encrypted secret. Set the name to SHIFT4SHOP_PRIVATE_TOKEN and paste your Private Token as the value, then click Save. If your store has a custom API base URL that differs from the default apirest.3dcart.com, add a second secret named SHIFT4SHOP_BASE_URL with your store's base API URL as the value. Shift4Shop's API also uses your store key as part of request headers. Some API operations require knowing your store's unique key (different from the private token) — you can find this in Settings → API as well. Add it as SHIFT4SHOP_STORE_KEY if needed. The Cloud Secrets panel encrypts all values immediately on save — once stored, you'll only see the secret name, not the value, which confirms it's properly protected. Lovable's security system blocks approximately 1,200 hardcoded API keys per day; using Cloud Secrets keeps your Shift4Shop credentials out of your Git history and frontend code.
Pro tip: The Shift4Shop API uses 'SecureURL' in some documentation — this refers to your store's HTTPS domain, not the API endpoint. Make sure you're storing the REST API Private Token, not your store domain.
Expected result: Cloud → Secrets shows SHIFT4SHOP_PRIVATE_TOKEN (and optionally SHIFT4SHOP_BASE_URL) as encrypted entries.
Create the Shift4Shop Edge Function proxy
Create the Shift4Shop Edge Function proxy
Now create the Edge Function that will proxy calls to the Shift4Shop REST API. Type the prompt below into Lovable's chat. Lovable will generate the TypeScript code at supabase/functions/shift4shop-proxy/index.ts and deploy it to your Cloud project. The Edge Function reads your Private Token from Deno.env.get('SHIFT4SHOP_PRIVATE_TOKEN') and constructs the required authentication headers. Shift4Shop's REST API requires the Private Token in the PrivateKey header and expects the Content-Type to be application/json. The function accepts a path query parameter containing the specific API endpoint to call (e.g., '/Products', '/Orders', '/Customers'), and a method parameter for GET, POST, or PUT. It proxies the request to the Shift4Shop API base URL and returns the response. CORS headers are included on all responses so your React frontend can call the function from the browser. The function supports all common Shift4Shop REST API operations — reading product catalogs, creating or updating products, fetching orders, and looking up customer records — by forwarding whatever path and parameters you pass from the frontend.
Create a Supabase Edge Function at supabase/functions/shift4shop-proxy/index.ts that proxies requests to the Shift4Shop REST API. Use Deno.env.get('SHIFT4SHOP_PRIVATE_TOKEN') for authentication. The function should accept a 'path' query parameter (e.g., '/Products', '/Orders'), a 'method' query parameter (GET, POST, PUT), and forward any request body to the Shift4Shop API at https://apirest.3dcart.com/3dCartWebAPI/v1/{path}. Set the PrivateKey header with the token and Content-Type to application/json. Include CORS headers in all responses. Pass through any additional query parameters from the incoming request to the Shift4Shop API URL.
Paste this in Lovable chat
1import { serve } from 'https://deno.land/std@0.168.0/http/server.ts'23const SHIFT4SHOP_BASE = 'https://apirest.3dcart.com/3dCartWebAPI/v1'45const corsHeaders = {6 'Access-Control-Allow-Origin': '*',7 'Access-Control-Allow-Headers': 'authorization, x-client-info, apikey, content-type',8}910serve(async (req) => {11 if (req.method === 'OPTIONS') {12 return new Response('ok', { headers: corsHeaders })13 }1415 try {16 const privateToken = Deno.env.get('SHIFT4SHOP_PRIVATE_TOKEN')1718 if (!privateToken) {19 return new Response(20 JSON.stringify({ error: 'SHIFT4SHOP_PRIVATE_TOKEN not configured in Cloud Secrets' }),21 { status: 500, headers: { ...corsHeaders, 'Content-Type': 'application/json' } }22 )23 }2425 const url = new URL(req.url)26 const apiPath = url.searchParams.get('path') || '/Products'27 const method = url.searchParams.get('method') || 'GET'2829 // Forward additional query params to Shift4Shop30 const forwardParams = new URLSearchParams()31 for (const [key, value] of url.searchParams.entries()) {32 if (key !== 'path' && key !== 'method') {33 forwardParams.append(key, value)34 }35 }3637 const paramString = forwardParams.toString()38 const shift4ShopUrl = `${SHIFT4SHOP_BASE}${apiPath}${paramString ? '?' + paramString : ''}`3940 const requestInit: RequestInit = {41 method,42 headers: {43 'PrivateKey': privateToken,44 'Content-Type': 'application/json',45 'Accept': 'application/json',46 },47 }4849 if (method !== 'GET' && method !== 'HEAD') {50 requestInit.body = await req.text()51 }5253 const apiResponse = await fetch(shift4ShopUrl, requestInit)54 const data = await apiResponse.json()5556 return new Response(JSON.stringify(data), {57 status: apiResponse.status,58 headers: { ...corsHeaders, 'Content-Type': 'application/json' },59 })60 } catch (error) {61 return new Response(62 JSON.stringify({ error: error.message }),63 { status: 500, headers: { ...corsHeaders, 'Content-Type': 'application/json' } }64 )65 }66})Pro tip: Shift4Shop's REST API returns arrays even for single-item responses. Always handle the response as an array and access index [0] when you expect a single product or order.
Expected result: Lovable deploys the Edge Function and confirms it's live in Cloud → Edge Functions. The function is ready to proxy Shift4Shop API calls.
Build product and order components and test the integration
Build product and order components and test the integration
With the Edge Function deployed, ask Lovable to build your first Shift4Shop-connected component. Start with the product catalog as it's the most common use case and requires only GET requests to the /Products endpoint. The Shift4Shop Products API returns an array of product objects, each containing fields like SKUInfo (array of SKU objects with price and stock), Name, MainPicture, Description, CategoryList, and more. Lovable will generate TypeScript interfaces for these response types and create properly typed React components. For the order management dashboard, the Orders API at /Orders returns order objects with fields including InvoiceNumber, OrderDate, CustomerEmail, OrderStatusDescription, OrderAmount, and an array of OrderItems. Add query parameters like ?limit=25&offset=0 for pagination and ?Status=New to filter by order status. Test each API endpoint by checking that real data from your Shift4Shop store appears in your Lovable preview. If you see a 401 response, verify the SHIFT4SHOP_PRIVATE_TOKEN secret is set correctly. If you see a 404, confirm your store is on a plan that includes REST API access and that the endpoint path matches the Shift4Shop API documentation exactly.
Create a product catalog page that fetches products from my Shift4Shop store using the shift4shop-proxy Edge Function with path=/Products and method=GET. Display products in a responsive grid with product image, name, price (from SKUInfo[0].Price), and stock status (from SKUInfo[0].Stock). Add a search input that passes a ?name= query parameter to the Edge Function. Show a loading skeleton while fetching and an error message if the API call fails.
Paste this in Lovable chat
Pro tip: Shift4Shop API pagination uses 'limit' and 'offset' parameters rather than 'page' and 'per_page'. Start with limit=25&offset=0 and increment offset by 25 for each additional page.
Expected result: Products from your Shift4Shop store appear in the Lovable preview as a responsive grid. The search input filters products by name in real time.
Common use cases
Custom product catalog storefront
Build a branded product catalog page in Lovable that pulls live inventory, pricing, and images directly from your Shift4Shop store. Customers browse your products in a custom React UI while all stock management stays in Shift4Shop admin.
Create a product catalog page that fetches products from my Shift4Shop store via an Edge Function. Call the Shift4Shop REST API at /3dCartWebAPI/v1/Products with my Bearer token from Cloud Secrets. Display product cards with name, price, main image, and in-stock status. Add search and category filter functionality using the API's search parameters.
Copy this prompt to try it in Lovable
Order management dashboard for store admins
Build an internal order management interface that shows recent Shift4Shop orders, their status, customer details, and line items. Admins can view and filter orders without logging into the Shift4Shop admin panel.
Build an order management dashboard that fetches orders from my Shift4Shop store via the dhl-proxy Edge Function calling /3dCartWebAPI/v1/Orders. Show a table with order number, customer name, order date, total, and status. Add status filter buttons (New, Processing, Shipped, Completed). When clicking an order row, show a detail panel with line items and shipping address. Store my Shift4Shop token in Cloud Secrets as SHIFT4SHOP_PRIVATE_TOKEN.
Copy this prompt to try it in Lovable
Customer lookup and order history tool
Create a customer service tool that lets your support team look up a customer by email address and see their complete order history from Shift4Shop. Useful for handling support tickets without sharing Shift4Shop admin credentials with the whole team.
Create a customer lookup tool that searches Shift4Shop customers by email using the Edge Function calling /3dCartWebAPI/v1/Customers?Email={email}. Show the customer's name, registration date, and lifetime order count. Below that, list all their orders fetched from /3dCartWebAPI/v1/Orders?CustomerEmail={email}, showing order number, date, total, and status. Use my SHIFT4SHOP_PRIVATE_TOKEN secret.
Copy this prompt to try it in Lovable
Troubleshooting
API returns 401 Unauthorized on every request
Cause: The PrivateKey header is missing, the token value in Cloud Secrets is incorrect, or the Shift4Shop store's REST API has not been enabled in Settings → API.
Solution: Log in to Shift4Shop admin, go to Settings → API → REST API tab, and confirm the API is enabled and the Private Token matches what's stored in Cloud Secrets. Delete and re-enter the SHIFT4SHOP_PRIVATE_TOKEN secret if there's any doubt about extra whitespace in the value. Verify the Edge Function code sets the header as 'PrivateKey' (not 'Authorization' or 'Bearer').
Products endpoint returns an empty array even though the store has products
Cause: The Shift4Shop API paginates at 100 results by default. If no products appear, the account may be on a plan that restricts API access, or the REST API URL for older 3dcart-migrated stores may differ from the default.
Solution: Verify your store plan includes REST API access. For stores migrated from 3dcart, the API base URL might be https://apirest.3dcart.com/3dCartWebAPI/v1/ — check Settings → API for the exact URL. Add limit=10 to the request parameters and verify you can retrieve at least the first 10 products before building pagination.
Edge Function times out on large product catalog requests
Cause: Fetching a large product catalog in a single API call can exceed the Edge Function's default execution time, especially if the store has thousands of SKUs.
Solution: Implement pagination in your React component — fetch 25-50 products at a time using limit and offset parameters. Display a 'Load More' button or infinite scroll rather than fetching the entire catalog at once. This also improves the initial page load time for your end users.
1// Paginated products fetch2const fetchProducts = async (offset = 0, limit = 25) => {3 const res = await supabase.functions.invoke('shift4shop-proxy', {4 body: null,5 headers: { 'Content-Type': 'application/json' },6 })7 // Use query params: path=/Products&limit=25&offset=08}CORS error when the React component calls the Edge Function
Cause: The Edge Function is not returning CORS headers on error responses, or the OPTIONS preflight request is not being handled before the auth check.
Solution: Ensure the OPTIONS preflight handler is the very first check in the Edge Function, before any authentication logic. Also verify every Response — including error responses in catch blocks — includes the corsHeaders spread. Redeploy the Edge Function via Lovable chat with the corrected CORS handling.
1// OPTIONS must be handled FIRST2if (req.method === 'OPTIONS') {3 return new Response('ok', { headers: corsHeaders })4}Best practices
- Store only the Private Token in Cloud Secrets — never store the Store URL as it's not a secret, but do store it if it differs from the default so you can update it without code changes.
- Implement pagination on all list endpoints (Products, Orders, Customers) using limit and offset parameters — the Shift4Shop API has a maximum return of 100 items per request and will silently truncate larger requests.
- Cache product catalog data in Supabase with a short TTL (5-15 minutes) to reduce API calls during high-traffic periods — product listings don't change frequently enough to require a fresh API call on every page load.
- Use the Shift4Shop sandbox or a staging store for development and testing before pointing your integration at your live store — order creation and customer modifications via API affect real data immediately.
- Map Shift4Shop order status codes to human-readable labels in your frontend — the API returns numeric status codes that need to be translated to 'New', 'Processing', 'Shipped', etc. based on your store's status configuration.
- Validate that your Shift4Shop plan includes the API endpoints you need before building — some endpoints (like bulk product updates and abandoned cart data) are only available on higher-tier plans.
- For the free enterprise plan with Shift4 processing, verify that Shift4 payment processing is fully active on your account before building checkout integrations — the free tier requires active Shift4 processing to remain free.
Alternatives
BigCommerce offers a more mature headless commerce API and stronger developer tooling, making it a better fit if you need advanced catalog management and are willing to pay the monthly SaaS fee.
WooCommerce is the better choice if you want a fully self-hosted store on WordPress with complete control over your server infrastructure and no dependency on a hosted platform.
Ecwid is easier to embed into existing websites and has a simpler API, making it a good alternative if you want to add a store to an existing site rather than building a standalone storefront.
Frequently asked questions
Is Shift4Shop really free? What's the catch?
Shift4Shop's enterprise plan is free for US-based merchants who process payments exclusively through Shift4 Payments. If you switch payment processors or stop using Shift4, your plan reverts to a paid tier. The free plan includes unlimited products, unlimited bandwidth, and most enterprise features — it's genuinely a full-featured plan, not a stripped-down free tier.
What happened to 3dcart — is it the same as Shift4Shop?
Yes. Shift4 Payments acquired 3dcart in 2020 and rebranded it as Shift4Shop. Existing 3dcart stores were migrated to the Shift4Shop platform. The REST API endpoints and authentication methods are largely the same, but some older 3dcart stores may have different API base URLs. Check Settings → API in your store admin to confirm your exact API endpoint.
Can I use the Shift4Shop API to process payments through Lovable?
Shift4Shop's REST API handles order management, products, and customers — payment processing itself is handled by the Shift4 payment gateway through the Shift4Shop checkout page. For a typical Lovable integration, you'd display products and cart functionality in your React app, then redirect customers to the Shift4Shop checkout URL for payment. The Shift4Shop API doesn't expose payment processing endpoints for third-party integrations.
How do I handle product variants (sizes, colors) in the Shift4Shop API?
Shift4Shop represents product variants as SKUs within the SKUInfo array on each product object. Each SKU has its own price, stock level, and option values (size, color, etc.). When building a product detail page, fetch the full product object and iterate through SKUInfo to display all available variants with their individual prices and stock status.
Is there a Shift4Shop API rate limit I should know about?
Shift4Shop does not publish a specific rate limit number, but their API documentation recommends not making more than one request per second for bulk operations. For typical storefront use (browsing, searching, order lookup), you're unlikely to hit any limits. If you're doing bulk product imports or exports, add small delays between requests and implement retry logic for any 429 responses.
Talk to an Expert
Our team has built 600+ apps. Get personalized help with your project.
Book a free consultation