Headless Support
Headless storefronts should call SaveLayer through direct APIs, not through Shopify app proxy.
Auth model
The expected headless pattern is a signed authorization header validated by SaveLayer server-side.
Why direct APIs are preferred
- app proxy is Shopify-specific and merchant-customizable
- headless clients need a stable integration surface
- auth and CORS control are easier to reason about in a dedicated namespace
Current channel shape
- direct API namespace for headless clients
- shared request and response contracts with the Online Store channel
- one shared service layer behind all ingress adapters