Anywhere POS
Developers

Getting started

Five minutes from zero to your first webhook. You'll create an API key, fetch your locations, post an order, then verify a webhook signature on your end.

1. Create an API key

From the admin app: Settings → Integrations → API & Webhooks → New API key. Pick the scopes the addon needs (e.g. orders:read, products:write) and the locations it can access. The full key (pos_live_...) is shown once on creation — copy it then.

export ANYWHERE_KEY=pos_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

2. Your first request

List the locations the key has access to:

curl https://your-site/api/v1/locations \
  -H "Authorization: Bearer $ANYWHERE_KEY"

Every response carries X-Request-Id and X-Pos-Api-Version, plus X-RateLimit-* headers so you can pace bursts.

3. Create an order

Writes require an Idempotency-Key header — supply any UUID so a network retry doesn't double-charge. Prices and modifier deltas come from the database row; the API ignores client-supplied money.

curl https://your-site/api/v1/orders \
  -X POST \
  -H "Authorization: Bearer $ANYWHERE_KEY" \
  -H "Idempotency-Key: $(uuidgen)" \
  -H "Content-Type: application/json" \
  -d '{
    "location_id": "00000000-0000-0000-0000-000000000000",
    "items": [
      { "product_id": "11111111-1111-1111-1111-111111111111", "quantity": 2 }
    ]
  }'

4. Subscribe to webhooks

Endpoints subscribe to one or more event kinds (order.paid, order.refunded, product.updated, etc.). The signing secret is returned exactly once on create.

curl https://your-site/api/v1/webhooks \
  -X POST \
  -H "Authorization: Bearer $ANYWHERE_KEY" \
  -H "Idempotency-Key: $(uuidgen)" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "stock-control",
    "url": "https://stock.example.com/anywhere-webhook",
    "subscribed_events": ["order.paid", "order.refunded", "product.updated"]
  }'

5. Verify the signature

Every webhook POST carries X-Pos-Signature: t=<unix>,v1=<hex>. Re-compute HMAC-SHA256 over <t>.<body> with the signing secret and compare in constant time. Reject requests older than 5 minutes.

Node.js

import { createHmac, timingSafeEqual } from "node:crypto";

export function verifyAnywhereSignature(rawBody: string, header: string, secret: string) {
  const m = header.match(/t=(\d+),v1=([0-9a-f]+)/);
  if (!m) return false;
  const t = Number(m[1]);
  if (Math.abs(Date.now() / 1000 - t) > 300) return false; // 5-min window
  const expected = createHmac("sha256", secret).update(`${t}.${rawBody}`).digest();
  const actual = Buffer.from(m[2], "hex");
  return actual.length === expected.length && timingSafeEqual(actual, expected);
}

Python

import hmac, hashlib, re, time

def verify_anywhere_signature(raw_body: bytes, header: str, secret: str) -> bool:
    m = re.match(r"t=(\d+),v1=([0-9a-f]+)", header)
    if not m: return False
    t = int(m.group(1))
    if abs(time.time() - t) > 300: return False
    expected = hmac.new(secret.encode(), f"{t}.".encode() + raw_body, hashlib.sha256).digest()
    actual = bytes.fromhex(m.group(2))
    return hmac.compare_digest(expected, actual)

What's next

  • Browse the full API in the interactive docs.
  • Pull historical events via GET /api/v1/events?since=... if a webhook is missed.
  • Manually replay a failed delivery from the admin Webhooks tab or via POST /webhooks/{id}/deliveries/{deliveryId}/retry.
Getting started — Anywhere POS API · Anywhere POS