Developer access and data
A public overview of the Apex data stores, developer access paths, and safety rules for technical teams integrating with Apex.
Apex developers and technical partners usually work through the dashboard, the public API, webhooks, the SDK, and platform integrations. Keep access server-side when secrets are involved, and use the narrowest key or role that can complete the task.
Access paths
| Access path | Use it for |
|---|---|
| Dashboard | Managing shops, experiments, goals, setup, team members, API keys, and runtime controls. |
| Public API v1 | Server-side automation for experiments, variations, goals, webhooks, screenshots, harness workflows, and privacy requests. |
| SDK | Storefront assignment, rendering, tracking, consent, feature flags, and runtime diagnostics. |
| Webhooks | Receiving Apex events in your backend. |
| Platform apps and plugins | Shopify, WooCommerce, and Shopware connection flows. |
Do not put secret API keys, webhook signing secrets, or platform credentials in browser code.
Data stores
| Store | What Apex uses it for |
|---|---|
| Product database | Shops, experiments, variations, goals, pages, segments, users, organizations, API keys, webhooks, privacy requests, and audit-oriented product state. |
| Event analytics | Storefront events such as visitors, exposures, clicks, conversions, revenue, performance, and experiment results. |
| Asset and evidence storage | QA screenshots, generated artifacts, and review evidence when those features are enabled. |
| Edge runtime | Snippet delivery, experiment config, event ingest, previews, and routing support. |
The public event schema is documented in Public event schema. Worker routes are documented in Worker public endpoints.
Data controls
Apex includes runtime settings for consent mode, Do Not Track, storage mode, screenshot handling, debug controls, and shop or experiment kill switches. Some workspaces may also configure data-egress controls for AI prompts, screenshots, tool outputs, observability mirroring, model calls, and evidence retention.
Use these controls before launch, not after a privacy review finds a mismatch.
Safe implementation rules
- Use server-side API calls for secret keys and privacy workflows.
- Rotate keys when people leave the project or an integration is replaced.
- Keep webhook receivers idempotent; webhook retries and duplicate delivery can happen.
- Treat visitor IDs as pseudonymous personal data when your policy or region requires it.
- Use consent mode and storage settings that match the storefront's regional requirements.
- Do not export raw event data to third-party systems unless the merchant has approved that destination.