Developer

Developer access and data

A public overview of the Apex data stores, developer access paths, and safety rules for technical teams integrating with Apex.

Apex developers and technical partners usually work through the dashboard, the public API, webhooks, the SDK, and platform integrations. Keep access server-side when secrets are involved, and use the narrowest key or role that can complete the task.

Access paths

Access pathUse it for
DashboardManaging shops, experiments, goals, setup, team members, API keys, and runtime controls.
Public API v1Server-side automation for experiments, variations, goals, webhooks, screenshots, harness workflows, and privacy requests.
SDKStorefront assignment, rendering, tracking, consent, feature flags, and runtime diagnostics.
WebhooksReceiving Apex events in your backend.
Platform apps and pluginsShopify, WooCommerce, and Shopware connection flows.

Do not put secret API keys, webhook signing secrets, or platform credentials in browser code.

Data stores

StoreWhat Apex uses it for
Product databaseShops, experiments, variations, goals, pages, segments, users, organizations, API keys, webhooks, privacy requests, and audit-oriented product state.
Event analyticsStorefront events such as visitors, exposures, clicks, conversions, revenue, performance, and experiment results.
Asset and evidence storageQA screenshots, generated artifacts, and review evidence when those features are enabled.
Edge runtimeSnippet delivery, experiment config, event ingest, previews, and routing support.

The public event schema is documented in Public event schema. Worker routes are documented in Worker public endpoints.

Data controls

Apex includes runtime settings for consent mode, Do Not Track, storage mode, screenshot handling, debug controls, and shop or experiment kill switches. Some workspaces may also configure data-egress controls for AI prompts, screenshots, tool outputs, observability mirroring, model calls, and evidence retention.

Use these controls before launch, not after a privacy review finds a mismatch.

Safe implementation rules

  • Use server-side API calls for secret keys and privacy workflows.
  • Rotate keys when people leave the project or an integration is replaced.
  • Keep webhook receivers idempotent; webhook retries and duplicate delivery can happen.
  • Treat visitor IDs as pseudonymous personal data when your policy or region requires it.
  • Use consent mode and storage settings that match the storefront's regional requirements.
  • Do not export raw event data to third-party systems unless the merchant has approved that destination.