Skip to main content

Overview

NorthStarMetric exposes several endpoints for tracking, data ingestion, and webhook processing. This reference covers the key interfaces.
NSM is primarily a managed service — most merchants interact with it through the dashboard and Shopify app. This API reference is intended for developers who need to understand the data flow or build custom integrations.

Base URLs

ServiceURLPurpose
Edge Serverhttps://track.northstarmetric.ioReceives tracking events from the client-side pixel
Dashboardhttps://app.northstarmetric.ioWeb dashboard and REST API
Marketing Sitehttps://northstarmetric.ioPublic website

Tracking Endpoint

The edge server receives fingerprint and event data from the client-side tracking script.

POST /t

Receives a tracking event with device fingerprint data. Headers:
HeaderRequiredDescription
Content-TypeYesapplication/json
AuthorizationYesBearer <JWT> — Store-specific JWT token
Request Body: 
{
  "event": "page_view",
  "url": "https://yourstore.com/products/example",
  "referrer": "https://www.google.com/",
  "timestamp": "2026-03-14T12:00:00Z",
  "visitor_id": "v_abc123def456",
  "session_id": "s_789ghi012",
  "fingerprint": {
    "hash": "a1b2c3d4e5f6...",
    "pass": "A",
    "signals": {
      "screen": "1920x1080",
      "cores": 8,
      "memory": 16,
      "timezone": "Europe/Amsterdam",
      "language": "en-US",
      "platform": "Win32",
      "colorDepth": 24,
      "pixelRatio": 1
    }
  },
  "utm": {
    "source": "facebook",
    "medium": "cpc",
    "campaign": "summer-sale-2026",
    "content": "ad-variant-a",
    "term": ""
  },
  "click_ids": {
    "fbclid": "IwAR3...",
    "gclid": null,
    "ttclid": null
  }
}
Response: 
{
  "status": "ok",
  "visitor_id": "v_abc123def456"
}
Status Codes:
CodeMeaning
200Event received and queued for processing
400Invalid request body or missing required fields
401Invalid or expired JWT token
429Rate limit exceeded (100 req/s per store)

Shopify Order Webhooks

NSM receives order data via Shopify webhooks (server-to-server). These are configured automatically when you install the Shopify app.

Order Created Webhook

Shopify sends an orders/create webhook when a new order is placed. NSM processes this to:
  1. Match the order to a visitor session (via fingerprint or email hash)
  2. Apply the configured attribution model
  3. Write the attribution result to the dashboard
  4. Forward the conversion to connected ad platforms (CAPI)
Webhook payload (key fields used by NSM): 
{
  "id": 5123456789,
  "order_number": 1042,
  "created_at": "2026-03-14T12:05:00-04:00",
  "total_price": "127.00",
  "currency": "USD",
  "financial_status": "paid",
  "customer": {
    "id": 987654321,
    "email": "customer@example.com",
    "phone": "+1234567890",
    "orders_count": 3
  },
  "line_items": [
    {
      "product_id": 111222333,
      "variant_id": 444555666,
      "title": "Summer T-Shirt",
      "quantity": 2,
      "price": "39.00"
    }
  ],
  "landing_site": "/products/summer-tshirt?utm_source=facebook&utm_medium=cpc&fbclid=IwAR3..."
}
NSM verifies all incoming webhooks using HMAC-SHA256 signatures from Shopify. Webhooks that fail verification are rejected. This prevents forged webhook attacks.

GDPR Webhooks

NSM implements all required Shopify GDPR webhook endpoints:
EndpointShopify TopicWhat NSM Does
/webhooks/customers/data_requestcustomers/data_requestCompiles and logs all data held for the customer
/webhooks/customers/redactcustomers/redactPermanently deletes all customer attribution data
/webhooks/shop/redactshop/redactPermanently deletes all store data (48h after uninstall)
All GDPR webhooks are verified via HMAC and processed within 30 days per GDPR Article 17.

Dashboard REST API

The dashboard exposes REST endpoints for retrieving analytics data. These are used internally by the dashboard frontend but are documented here for reference.
The Dashboard API requires authentication via Supabase session tokens. It is not intended for external API access at this time. If you need programmatic access to your attribution data, contact support@northstarmetric.io.

Key Endpoints

MethodPathDescription
GET/api/analyticsAggregated analytics data (revenue, orders, ROAS)
GET/api/attributionAttribution data by channel, campaign, ad
GET/api/ordersOrder list with attribution details
GET/api/customers/:idCustomer profile with journey timeline
GET/api/ad-spendAd spend data from connected platforms
GET/api/cohortsCohort analysis data
GET/api/ltvLifetime value metrics
GET/api/pnlProfit & loss data
All endpoints require:
  • Valid Supabase authentication header
  • Store ID in the URL path
  • User must be the verified owner of the store (IDOR protection)

Rate Limits

EndpointLimitWindow
Tracking (/t)100 requests/secondPer store
Dashboard API60 requests/minutePer user
Webhook ingestionUnlimitedShopify-controlled
Rate limits are enforced at the edge server level. Exceeding the limit returns a 429 Too Many Requests response. Normal tracking usage will never hit these limits — they exist to prevent abuse.

Data Formats

Timestamps

All timestamps use ISO 8601 format in UTC: 
2026-03-14T12:00:00Z

Currency

Currency codes follow ISO 4217 (e.g., USD, EUR, GBP).

Hashing

All PII hashing uses SHA-256 with lowercase hex encoding: 
SHA-256("customer@example.com") = "a1b2c3d4e5f6..."

Next Steps

How Tracking Works

Understand the full tracking pipeline.

Privacy Architecture

How NSM protects data at every stage.