API & Analytics
Built for scale, built to integrate
A versioned REST API with SHA-256 key authentication. Enterprise webhooks with HMAC-SHA256 signing and exponential retry backoff. BullMQ background job processing for bulk operations. Analytics with profitability analysis, ingredient usage, and conversion funnels to optimize your menu.
Your storefront isn’t your only channel
As food businesses grow, they outgrow a single storefront. POS terminals need menu data. Delivery platforms need order creation. Corporate clients want a self-service portal. Without an API, each integration is a custom project. And without analytics, menu decisions are guesswork — you don’t know which meals are profitable, which options are popular, or where customers drop off in the ordering funnel.
How the API & Analytics work
Generate API keys from your admin
Navigate to the API Key Manager in your admin dashboard. Create named API keys (e.g., "POS Terminal", "Delivery Platform"). Each key is shown once at creation and stored as a SHA-256 hash — it cannot be retrieved later. Keys display a prefix and last four characters for identification.
Integrate with 9 versioned REST endpoints
The public API at /api/v1/ exposes 9 endpoints: meals (list and detail), categories, menus (list and detail), and orders (create, list, detail, status update). All endpoints are versioned for stability. Include your API key in the X-API-Key header with every request.
Orders flow through the same workflow
Orders created via the API use the same OrderService as storefront orders. They appear in the Kitchen Display, trigger inventory deduction, respect pricing rules, and flow through the same status state machine. There’s no separate system to manage.
Analyze profitability, funnels, and ingredient usage
The analytics dashboard provides four views: a summary with key metrics (orders, revenue, popular meals), profitability analysis (revenue vs. cost per meal with margin percentages), ingredient usage tracking (which options are ordered most and their cost impact), and a conversion funnel (view → customize → add-to-cart rates).
Subscribe to real-time webhooks
Create webhook subscriptions for order events. FoodFlex signs each payload with HMAC-SHA256 using a per-subscription signing secret. Failed deliveries retry with exponential backoff (1 minute, 10 minutes, 1 hour) and auto-disable after 10 consecutive failures. View delivery logs in the admin webhook manager.
Why merchants choose the API & Analytics
9 versioned REST endpoints
Meals, categories, menus, and orders — everything you need to power POS terminals, delivery platform integrations, kiosk applications, and corporate ordering portals. All endpoints are versioned at /api/v1/ for stability.
SHA-256 key security
API keys are hashed with SHA-256 before storage — even a database breach doesn’t expose keys. Per-key rate limiting at 1,000 requests per hour prevents abuse. Enterprise tier gating ensures only paying customers access the API.
Profitability analysis
See revenue, cost, and margin per meal. The analytics engine joins order data with ingredient costs to calculate true profitability. Identify your highest-margin meals and your loss leaders.
Conversion funnel tracking
Track the customer journey from meal view to customization to cart addition. Identify where customers drop off and which meals have the highest conversion rates. Option popularity reports show which customizations drive the most engagement.
Real-time webhooks
Subscribe to order lifecycle events with HMAC-SHA256 signed payloads. Exponential backoff retry ensures reliability. Subscriptions auto-disable after 10 consecutive failures to protect your endpoint. Enterprise tier with up to 10 subscriptions.
Under the hood
API key authentication
API keys are generated as random hex strings, shown to the merchant once, then stored as SHA-256 hashes. The apiKeyAuth middleware hashes the incoming X-API-Key header and looks up the matching key in the ApiKeyModel. Each key stores a keyPrefix and lastFour for display without revealing the full key. Keys are scoped to a shop and enforce Enterprise tier access.
Rate limiting and caching
The public API has two rate limiters: a general limiter (1,000 requests per hour per API key) and an order creation limiter (100 orders per hour per key). GET endpoints are cached in Redis with a 120-second TTL, automatically invalidated on write operations. Cache keys include the shop ID and endpoint path for isolation.
Analytics aggregation pipelines
Analytics data is collected via fire-and-forget event recording with six event types: meal_viewed, meal_customized, meal_added_to_cart, order_placed, addon_selected, and option_selected. MongoDB aggregation pipelines compute dashboard summaries, daily activity trends, meal-level analytics, option popularity rankings, conversion funnels, profitability by meal, and ingredient usage reports.
Enterprise tier gating
API access and analytics are restricted to the Enterprise billing tier ($99/month). The enforceApiKeyLimit middleware checks the merchant’s billing plan before allowing key creation. The analytics gate middleware verifies Enterprise status and that analytics is enabled in merchant settings. Lower tiers see a tier-gate message with upgrade prompts.
Webhook HMAC signing
Each webhook subscription generates a one-time signing secret at creation. Payloads are signed using HMAC-SHA256 with the secret, sent in the X-FoodFlex-Signature header. Recipients verify authenticity by computing the same HMAC. The signing secret is shown once at creation and stored hashed. Subscriptions auto-disable after 10 consecutive delivery failures.
BullMQ background job processing
BullMQ powers 8 job types: analytics-export, bulk-meal-update, product-sync-all, gdpr-shop-deletion, tenant-migration, bulk-nutrition-import, webhook-retries, and subscription-process. A worker processes jobs with concurrency 3. The admin Job Dashboard shows job status, progress, and supports cancellation for waiting and delayed jobs. Available on Professional and Enterprise plans.
Ready to transform your food business?
Join food businesses using FoodFlex to increase order value by 23%, reduce errors by 87%, and delight their customers.
Free plan available · No credit card required · 5-minute setup · 30-day money-back guarantee