Integrating with Suppliers via API: A Step-by-Step Guide to Getting Started
-
Anton Koval
Copywriter Elbuz
Manually uploading price lists from suppliers takes hours every day. The manager downloads the Excel file, checks the format, imports it into the system, and manually reconciles inventory. When working with 10 suppliers, this becomes a nightmare—outdated data, import errors, and lost sales due to outdated inventory information.
API integration solves this problem once and for all. The system automatically receives price and inventory updates in real time, without human intervention. In this guide, we'll explain what an API is in simple terms, how to connect to a supplier in 10 steps, show code examples, and explain how to avoid common integration errors.
What is an API and How Does it Work? Explained for Non-Technical Users
An API (Application Programming Interface) is a way for two programs to automatically exchange data. Think of a waiter at a restaurant: you (your store) order a dish (data), the waiter (API) transmits the order to the kitchen (the supplier) and brings back the finished dish (the price list, leftovers).
Key benefits of API integration:
- Automation — data is updated without human intervention, on a schedule or in real time
- Accuracy — manual input errors, typos, and incorrect formats are eliminated
- Speed — updating data takes seconds instead of hours of manual work
- Relevance — information on prices and stock is always up-to-date, synchronization occurs every 15-60 minutes
- Scalability — it’s easy to connect dozens of suppliers, the system can handle any volume
- Saving — managers spend time on sales, not on uploading price lists
Here's an example of how API integration works:
- Your system is sending a request — "Give me current prices for all products in the 'Electronics' category."
- The provider's API is processing the request — checks your authorization, searches for data in the database
- The supplier sends a response — a list of products with prices, stock levels, and descriptions in JSON format
- Your system is processing the response. - updates the database, changes prices on the website
- The process repeats automatically. — on a schedule (every 30 minutes) or by event (webhook)
Important: The API only works with providers who provide API access. If the provider only works via Excel files, use automatic download of price lists via Email/FTP.
Step-by-step guide to integrating with a supplier via API
The integration process with the provider's API consists of 10 sequential steps. Even if you don't have a technical background, you can follow these instructions.
Step 1: Access the Provider API
Contact your vendor and request API documentation. Typically, they'll provide you with:
- API endpoint — The URL to send requests to (e.g. https://api.supplier.com/v1)
- API key — a unique authorization key (for example, sk_live_51K3xYz...)
- Documentation — description of available methods, request parameters and response formats
- Limits — limits on the number of requests (usually 100-1000 per hour)
Step 2: Review the API documentation
Before beginning the integration, please review the documentation carefully. Please note:
- Available API methods (get price list, check balances, place an order)
- Data formats (JSON, XML, CSV)
- Required query parameters
- Response format and error codes
- Rate limits (request frequency limits)
Step 3: Set up authentication
The API requires you to verify your identity before each request. There are three main authentication methods:
API Key (the simplest method)
The key is passed in the header or request parameters:
GET https://api.supplier.com/v1/products Headers: Authorization: Bearer sk_live_51K3xYz7HqP4mD8f... Content-Type: application/jsonOAuth 2.0 (for complex integrations)
Requires obtaining a temporary token through the authorization process:
POST https://api.supplier.com/oauth/token Body:{ "grant_type": "client_credentials", "client_id": "your_client_id", "client_secret": "your_client_secret" } Response:{ "access_token": "eyJhbGciOiJIUzI1NiIs...", "token_type": "Bearer", "expires_in": 3600 }JWT (JSON Web Token)
An encrypted token containing user information and access rights.
Step 4: Create a test request
Test the connection with a simple request. Use Postman or cURL:
Example with Postman:
- Download and install Postman (for free)
- Create a new request: GET method
- Enter URL: https://api.supplier.com/v1/products
- Add an Authorization header with your API key.
- Click Send and check the response.
Example with cURL (command line):
curl -X GET "https://api.supplier.com/v1/products" \ -H "Authorization: Bearer sk_live_51K3xYz..." \ -H "Content-Type: application/json"Step 5: Get a list of products
The main request for obtaining a price list with current prices and balances:
Request:
GET https://api.supplier.com/v1/products?category=electronics&in_stock=true Headers: Authorization: Bearer sk_live_51K3xYz... Content-Type: application/jsonResponse (JSON):
{ "status": "success", "total": 156, "page": 1, "per_page": 50, "data": [{ "sku": "ELEC-12345", "name": "Wireless Headphones Sony WH-1000XM5", "price": 349.99, "currency": "USD", "stock": 47, "warehouse": "EU-Warsaw", "category": "Electronics", "brand": "Sony", "ean": "4548736134683", "weight": 0.25, "updated_at": "2025-10-21T08:30:00Z" },{ "sku": "ELEC-12346", "name": "Smart Watch Apple Watch Series 9", "price": 429.00, "currency": "USD", "stock": 23, "warehouse": "EU-Amsterdam", "category": "Electronics", "brand": "Apple", "ean": "0195949038569", "weight": 0.15, "updated_at": "2025-10-21T08:30:00Z" } ] }Step 6: Process the API response
Your system must process the received data correctly:
- Check the response status (status: "success" or HTTP code 200)
- Extract an array of products from the "data" field
- For each product, update or create a record in the database
- Compare products by SKU or EAN code
- Update prices, stock, descriptions
- Log changes for auditing
Example of JavaScript processing:
async function updateProductsFromAPI() { try { const response = await fetch('https://api.supplier.com/v1/products', { method: 'GET', headers:{ 'Authorization': 'Bearer sk_live_51K3xYz...', 'Content-Type': 'application/json' } }); if (!response.ok) { throw new Error(`HTTP error! status: ${response.status}`); } const data = await response.json(); for (const product of data.data) { await updateProductInDatabase({ sku: product.sku, price: product.price, stock: product.stock, updated_at: product.updated_at } ); } console.log(`Updated ${data.total} products successfully`); } catch (error){ console.error('API integration error:', error); sendAlertToAdmin(error); } }Step 7: Set up error handling
The API may return errors for various reasons. It's important to handle them correctly:
Typical HTTP error codes:
| Code | Name | Cause | Solution |
|---|---|---|---|
| 400 | Bad Request | Invalid request format | Check the parameters and JSON structure |
| 401 | Unauthorized | Invalid API key | Check the authorization token |
| 403 | Forbidden | No access rights | Request extended rights from the provider |
| 404 | Not Found | Resource not found | Check the endpoint URL |
| 429 | Too Many Requests | Request limit exceeded | Reduce request rate, add delays |
| 500 | Internal Server Error | Server-side error | Please repeat your request in 1-5 minutes. |
| 503 | Service Unavailable | The server is temporarily unavailable | Please try your request again later and adjust your retry logic. |
Retry Logic:
async function fetchWithRetry(url, options, maxRetries = 3) { for (let i = 0; i< maxRetries; i++) { try { const response = await fetch(url, options); if (response.ok) { return await response.json(); } // Если 429 (Too Many Requests) - ждем дольше if (response.status === 429) { const retryAfter = response.headers.get('Retry-After') || 60; console.log(`Rate limit hit, waiting ${retryAfter} seconds`); await sleep(retryAfter * 1000); continue; } // Если 5xx - повторяем с экспоненциальной задержкой if (response.status > = 500) { const delay = Math.pow(2, i) * 1000; // 1s, 2s, 4s console.log(`Server error, retrying in ${delay}ms`); await sleep(delay); continue; } // For other errors, do not repeat throw new Error(`HTTP ${response.status}: ${response.statusText}`); } catch (error) { if (i === maxRetries - 1) throw error; console.log(`Attempt ${i + 1} failed, retrying...`); } } }Step 8. Set up Rate Limiting and Throttling
Most APIs limit the number of requests to prevent server overload. Typical limits are:
- 100 requests per minute — for basic tariffs
- 1000 requests per hour — for standard tariffs
- 10,000 requests per day — for premium tariffs
How to avoid exceeding limits:
- Use pagination — upload data in portions (50-100 products per request)
- Add delays between requests — 100-500 ms for safety
- Cache responses - do not request the same data repeatedly
- Use webhooks - receive updates only when data changes
- Request only changed data - use the updated_since parameter
Example with speed limit:
// Limit: maximum 10 requests per second const rateLimiter = { requests: [], maxRequests: 10, interval: 1000, // 1 second async waitIfNeeded() { const now = Date.now(); this.requests = this.requests.filter(time => now - time< this.interval); if (this.requests.length > = this.maxRequests) { const oldestRequest = Math.min(...this.requests); const waitTime = this.interval - (now - oldestRequest); await sleep(waitTime); } this.requests.push(Date.now()); } }; // Use before each request await rateLimiter.waitIfNeeded(); const data = await fetch(apiUrl);Step 9: Set up Webhooks for real-time updates
Webhooks are a way to receive automatic notifications from suppliers when prices or inventory changes. Instead of constantly polling the API, the supplier will automatically send you the data when changes occur.
How webhooks work:
- You provide the supplier with a URL to receive notifications (e.g. https://yourstore.com/api/webhook/supplier)
- The supplier registers this URL in its system
- When data changes (price decreases, product becomes available), the supplier sends a POST request to your URL
- Your system receives data and updates the database instantly.
Example of a webhook notification:
POST https://yourstore.com/api/webhook/supplier Headers: X-Webhook-Signature: sha256=5d41402abc4b2a76b9719d911017c592 Content-Type: application/json Body: { "event": "product.updated", "timestamp": "2025-10-21T09:15:00Z", "data":{ "sku": "ELEC-12345", "price": 329.99, "old_price": 349.99, "stock": 52, "old_stock": 47, "changes": ["price", "stock"] } }Webhook processing on your side:
app.post('/api/webhook/supplier', async (req, res) => { try { // Verify signature for security const signature = req.headers['x-webhook-signature']; if (!verifyWebhookSignature(req.body, signature)) { return res.status(401).send('Invalid signature'); } const { event, data } = req.body; if (event === 'product.updated') { await updateProductInDatabase({ sku: data.sku, price: data.price, stock: data.stock } ); console.log(`Product ${data.sku} updated via webhook`); } // Important: quickly respond 200 OK res.status(200).send('Webhook received'); } catch (error){ console.error('Webhook processing error:', error); res.status(500).send('Error processing webhook'); } });Step 10. Set up monitoring and testing
Once the integration has been launched, it is necessary to continuously monitor its operation:
What to monitor:
- Request success rate — percentage of successful responses (should be 98-99%)
- API response time — request processing speed (normal 200-500 ms)
- Number of errors — frequency of 4xx and 5xx errors
- Data relevance — time of the last successful update
- Changes in prices and stocks — a log of all updates for auditing
Monitoring tools:
- Sentry - real-time error tracking
- Datadog / New Relic — API performance monitoring
- Pingdom / UptimeRobot — endpoint availability check
- Custom dashboard — a panel with integration metrics
Advice: Set up email or Telegram alerts when the integration is down for more than an hour. This will allow you to quickly respond to issues and avoid lost sales.
REST API vs. SOAP: Which Protocol Should You Choose?
There are two main protocols for API integration: REST and SOAP. Most modern APIs use REST, but some older systems only work via SOAP.
| Characteristic | REST API | SOAP API |
|---|---|---|
| Protocol | HTTP/HTTPS | HTTP, SMTP, TCP and others |
| Data format | JSON, XML, CSV | XML only |
| Simplicity | Very simple, intuitive | Complex, requires special libraries |
| Speed | Fast (JSON is lighter than XML) | Slow (XML is heavier) |
| Flexibility | Flexible, easily expandable | Rigid structure, strict rules |
| Safety | HTTPS, OAuth, API Keys | WS-Security built into the protocol |
| Usage | Web applications, mobile applications, modern systems | Banking systems, ERP, legacy systems |
| Popularity | 95% of new APIs use REST | Obsolete, used in older systems |
When to use REST:
- New integrations with modern suppliers
- Web applications and mobile applications
- When speed and ease of development are important
- When flexibility in data formats is needed
When to use SOAP:
- Integration with legacy ERP systems (SAP, Oracle)
- High security and transaction requirements
- Banking and financial integration
- When a provider only provides a SOAP API
Recommendation: Choose a REST API whenever possible. REST is easier to implement, faster, and supported by all modern tools. Use SOAP only if you have no other choice.
Authentication methods: API Key, OAuth2, JWT
Authentication is a way to confirm your identity to an API. Different providers use different methods, each with its own specifics.
1. API Key (access key)
How it works: The provider issues a unique key (a long string of characters) that you pass with each request.
Advantages:
- Ease of implementation - one key for all requests
- Does not require complex authorization logic
- Ideal for server-to-server integrations
Flaws:
- If the key is stolen, the attacker gains full access
- You cannot restrict access rights (all or nothing)
- It is difficult to revoke access for a specific client
Example of use:
// In the Authorization header curl -H "Authorization: Bearer sk_live_51K3xYz7HqP4mD8f..." \ https://api.supplier.com/v1/products // Or in the query parameter curl https://api.supplier.com/v1/products?api_key=sk_live_51K3xYz...2. OAuth 2.0 (authorization standard)
How it works: You receive a temporary access token through the authorization process. The token is valid for a limited time (usually 1 hour) and then refreshes.
Advantages:
- High security - tokens are temporary and automatically renewed
- Flexible access rights (scopes) - you can restrict access to certain data
- It is possible to revoke a token without changing credentials
Flaws:
- Complex implementation - requires token refresh logic
- You need to store client_id, client_secret, refresh_token
Example of use:
// Step 1: Obtain an access token POST https://api.supplier.com/oauth/token Content-Type: application/json{ "grant_type": "client_credentials", "client_id": "your_client_id_here", "client_secret": "your_client_secret_here", "scope": "products:read orders:write" } // Answer:{ "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...", "token_type": "Bearer", "expires_in": 3600, "refresh_token": "def50200a1b2c3d4e5f6..." } // Step 2: Use the token for GET requests https://api.supplier.com/v1/products Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9... // Step 3: Refresh the token when it expires POST https://api.supplier.com/oauth/token{ "grant_type": "refresh_token", "refresh_token": "def50200a1b2c3d4e5f6...", "client_id": "your_client_id_here" }3. JWT (JSON Web Token)
How it works: An encrypted token containing information about the user and their permissions. The server verifies the token's signature without accessing the database.
Advantages:
- Does not require storing sessions on the server
- Contains all information about access rights within the token
- Quick check - no need to access the database
JWT structure:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6Ikpv aG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c // Decryption: { "header":{ "alg": "HS256", "typ": "JWT" }, "payload":{ "sub": "1234567890", "name": "John Doe", "iat": 1516239022, "scope": ["products:read", "orders:write"] }, "signature": "SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c" }What to choose: For simple integration with a provider, use API Key. If high security or integration on behalf of users is required, choose OAuth 2.0. JWT is typically used within OAuth.
API Integration Security: Best Practices
Incorrect API implementation can lead to data leakage, account compromise, or financial losses. Follow these security guidelines:
1. Store your API keys securely
- Never store keys in code - use environment variables (.env files)
- Don't commit keys in Git — add.env to gitignore
- Use secret storage - AWS Secrets Manager, Azure Key Vault, HashiCorp Vault
- Different keys for development and production — test/sandbox keys for tests
2. Always use HTTPS
- All API requests must be made via HTTPS, never via HTTP.
- Verify SSL certificates (do not disable verification)
- Use TLS 1.2 or higher
3. Check webhook signatures
- Always check the signature of webhook requests before processing
- Use HMAC-SHA256 for authentication
- Reject requests without a valid signature
Example of webhook signature verification:
const crypto = require('crypto'); function verifyWebhookSignature(payload, signature, secret) { const hmac = crypto.createHmac('sha256', secret); const digest = 'sha256=' + hmac.update(JSON.stringify(payload)).digest('hex'); return crypto.timingSafeEqual( Buffer.from(signature), Buffer.from(digest) ); } // Using const isValid = verifyWebhookSignature( req.body, req.headers['x-webhook-signature'], process.env.WEBHOOK_SECRET ); if (!isValid) { return res.status(401).send('Invalid signature'); }4. Log all actions
- Log all API requests and responses (but do not log API keys)
- Keep logs for at least 30 days for audit purposes.
- Monitor for suspicious activity (lots of 401 errors, unusual requests)
5. Restrict access rights
- Request only the necessary rights (scopes)
- Use read-only keys where possible.
- Different keys for different integrations
Important: Change API keys regularly (every 3-6 months) and immediately revoke compromised keys. If a key is logged or accidentally published, replace it immediately.
Tools for working with APIs
Use professional tools to develop and debug API integrations:
1. Postman (the most popular)
- Purpose: Testing API requests, creating collections, and automating tests
- Price: Free for basic features, Pro from $12/month
- Peculiarities: Graphical interface, saving queries, environment variables, automated tests
- Link: postman.com
2. cURL (command line)
- Purpose: Quick tests from the terminal, automation scripts
- Price: Free, built-in for Linux/Mac, separate download for Windows
- Peculiarities: Powerful, flexible, but requires knowledge of syntax
Examples of cURL commands:
# GET request with authorization curl -X GET "https://api.supplier.com/v1/products" \ -H "Authorization: Bearer YOUR_API_KEY" \ -H "Content-Type: application/json" # POST request with data curl -X POST "https://api.supplier.com/v1/orders" \ -H "Authorization: Bearer YOUR_API_KEY" \ -H "Content-Type: application/json" \ -d '{ "product_sku": "ELEC-12345", "quantity": 5, "delivery_address": "Kyiv, Ukraine" } ' # Save the response to a file curl -X GET "https://api.supplier.com/v1/products" \ -H "Authorization: Bearer YOUR_API_KEY" \ -o products.json3. Insomnia
- Purpose: An alternative to Postman with a simpler interface
- Price: Free, Pro from $5/month
- Link: insomnia.rest
4. Swagger / OpenAPI
- Purpose: API documentation and testing, client code autogeneration
- Price: Free for open source
- Peculiarities: Many vendors publish Swagger documentation for their APIs.
5. Webhook.site
- Purpose: Testing webhooks without writing code
- Price: For free
- How to use: Get a temporary URL, specify it as a webhook endpoint, and watch incoming requests in your browser.
- Link: webhook.site
Integration with the Elbuz platform
The Elbuz platform provides ready-made solutions for integrating with suppliers via API. Instead of developing integrations from scratch, you can use built-in tools.
Elbuz API capabilities:
- Ready-made connectors — connect to popular suppliers in a few clicks
- Universal REST API - connection of any supplier according to documentation
- Automatic synchronization — setting up an update schedule (every 15-60 minutes)
- Field mapping — matching your database fields with the supplier's fields
- Error handling - automatic retry in case of failures
- Webhooks - support for real-time updates
- Logging - history of all requests and changes
- Monitoring — notifications in case of integration problems
Learn more about automation capabilities in our The Complete Guide to Data Management and Synchronization.
Benefits of using Elbuz for API integrations:
- Saving development time — a ready-made solution instead of months of programming
- Reliability - a proven system with handling of all extreme cases
- Support — assistance from specialists in setting up complex integrations
- Scalability — connect an unlimited number of suppliers
- Safety — secure storage of API keys, data encryption
Frequently Asked Questions (FAQ)
How much does API integration with a provider cost?
Most providers provide API access free to clients. Some may charge for advanced features (more requests per hour, priority support). Developing an integration from scratch will cost $1,000-5,000, depending on its complexity. Ready-made platforms like Elbuz offer API integrations as part of a subscription starting at $49/month.
How often should I synchronize data via API?
The optimal frequency depends on the specifics of your business. For fast-moving products (electronics, popular items), every 15-30 minutes is recommended. For slower-moving categories, 1-2 times a day is sufficient. If webhooks are available, use them for instant updates when prices or inventory changes. Consider the supplier's API limits when setting the frequency.
What if the provider does not provide an API?
If the provider does not have an API, use alternative automation methods: automatic download of price lists via Email/FTP, parsing Excel files, integration via Google Sheets API You can also contact the vendor with a request to develop an API—many large vendors add this feature at customer request.
How to protect API keys from theft?
Никогда не храните API ключи в коде — используйте переменные окружения (.env файлы). Не коммитьте ключи в Git, добавьте.env в.gitignore. Используйте разные ключи для разработки и продакшена. Храните продакшен-ключи в секретных хранилищах (AWS Secrets Manager, Azure Key Vault). Регулярно ротируйте ключи (каждые 3-6 месяцев). Ограничивайте права доступа ключей — используйте read-only где возможно. Мониторьте использование API на предмет подозрительной активности.
Автоматизируйте интеграции с поставщиками с помощью Elbuz
Платформа Elbuz предлагает готовые решения для API-интеграций с поставщиками. Настройте автоматическую синхронизацию цен и остатков за 15 минут без программирования. Поддержка REST API, webhooks, автоматическая обработка ошибок, мониторинг и логирование всех операций.
- Готовые коннекторы к популярным поставщикам
- Универсальный REST API для любых интеграций
- Автоматическая синхронизация по расписанию
- Обработка ошибок и retry logic из коробки
- Безопасное хранение API ключей
- 24/7 technical support
Начните работу с бесплатным тестовым периодом и убедитесь, как автоматизация API-интеграций экономит часы работы каждый день.
Попробовать Elbuz бесплатноRelated materials
- What is an API and How Does it Work? Explained for Non-Technical Users
- Step-by-step guide to integrating with a supplier via API
- REST API vs. SOAP: Which Protocol Should You Choose?
- Authentication methods: API Key, OAuth2, JWT
- API Integration Security: Best Practices
- Tools for working with APIs
- Integration with the Elbuz platform
- Frequently Asked Questions (FAQ)
- Автоматизируйте интеграции с поставщиками с помощью Elbuz
- Related materials
Save a link to this article
Anton Koval
Copywriter ElbuzIn the world of business, words are my pencils and automation is my art. Welcome to the gallery of online store effectiveness, where every text is a masterpiece of success!
Discussion of the topic – Integrating with Suppliers via API: A Step-by-Step Guide to Getting Started
Integrating with Suppliers via API: A Step-by-Step Guide to Getting Started
There are no reviews for this product.


Write a comment
Your email address will not be published. Required fields are checked *