The customer account API at /client-data/* is the surface a customer portal calls. It covers profile, addresses, payment methods, support tickets, messages, push notifications, wishlist, and the dashboard rollup. Every call is scoped to the authenticated customer — there's no way to read or write another customer's data through this API.
Dashboard
/client-data/dashboardJWT/client-data/allJWTdashboard returns a curated rollup: counts of orders, pending tickets, unread messages, wallet balance, recent activity. Use it to populate a customer portal landing page in one round-trip. all returns the full bundle — every collection the customer has data in. Heavier, used on first sign-in or when refreshing local cache.
Profile
/client-data/profileJWT/client-data/profileJWTStandard profile fields (name, phone, language, timezone, about). The PUT accepts a partial — send only fields you're changing.
Verification
/client-data/verification/statusJWT/client-data/verification/email/sendJWT/client-data/verification/email/verifyJWT/client-data/verification/phone/sendJWT/client-data/verification/phone/verifyJWTEmail and phone verification flows. send issues a code; verify confirms it. Status returns the current verification state for both.
Orders
/client-data/ordersJWT/client-data/orders/:orderIdJWTPaginated. Filter by status, sort by any field, and the response always returns the customer's own orders only — there's no cross-customer view.
Payment methods
/client-data/payment-methodsJWT/client-data/payment-methodsJWT/client-data/payment-methods/:paymentMethodIdJWT/client-data/payment-methods/:paymentMethodId/defaultJWTStripe-tokenised cards (and PayPal billing agreements). The POST accepts a Stripe paymentMethodId (created client-side via Stripe Elements); the platform attaches it to the customer's Stripe Customer object and stores a reference. The full card number never touches AppEngine.
// after createPaymentMethod() with Stripe Elements
await fetch('/api/client-data/payment-methods', {
method: 'POST',
headers: { orgid: ORG_ID, Authorization: `Bearer ${customerJwt}` },
body: JSON.stringify({
paymentMethodId: 'pm_abc',
setAsDefault: true,
}),
});
Addresses
/client-data/addressesJWT/client-data/addressesJWT/client-data/addresses/:addressIdJWT/client-data/addresses/autocompleteJWT/client-data/addresses/place/:placeIdJWTautocomplete uses Google Places (configured via the integrations module) for typeahead. The POST upserts — if the body contains an id, that record is updated; otherwise a new address is created.
Tickets
/client-data/ticketsJWT/client-data/tickets/:ticketNumberJWT/client-data/ticketsJWT/client-data/tickets/with-attachmentsJWT/client-data/ticketsJWTCustomer-side ticket creation and lookup. The staff side lives in CRM tickets. Customers can attach files via with-attachments (multipart upload).
Messages and conversations
/client-data/messagesJWT/client-data/conversationsJWT/client-data/messagesJWT/client-data/messages/:messageId/status/:statusJWTDirect messages between the customer and staff (or experts). conversations returns distinct threads; messages returns messages within a thread, paginated. Status updates (read, archived) are per-message.
Notifications and push
/client-data/notificationsJWT/client-data/notifications/push-tokenJWTNotifications are in-app messages. Push tokens are FCM/APNS device tokens registered for mobile push. The platform broadcasts notifications to the right channels via the Sync notification processor.
Wishlist
/client-data/wishlistJWT/client-data/wishlist/:productIdJWT/client-data/wishlist/:productIdJWTPer-customer saved-products list. Used by the storefront UI for the heart icon on product cards.
Reservations
/client-data/reservationsJWT/client-data/reservations/:reservationIdJWT/client-data/reservationsJWT/client-data/reservationsJWT/client-data/reservations/:reservationIdJWT/client-data/reservations/available-slotsJWTCustomer-side reservation booking — picks slots, books, modifies, cancels. Same machinery as the staff reservations endpoints, scoped to the customer.
Files
/client-data/filesJWT/client-data/files/uploadJWT/client-data/files/:pathJWTPer-customer file storage. Used for ticket attachments, profile photos, ID uploads. Files live under the customer's namespace in S3 (or the configured object store).
Benefits
/client-data/benefitsJWT/client-data/benefits/enrollJWT/client-data/benefits/enrollmentsJWTCustomer-side enrollment in benefit programmes (student discount, military, AAA, employer). Pricing automatically applies the benefit at checkout once approved.
Transactions
/client-data/transactionsJWTFilter by status, payment method, date range. Returns the customer's own transactions only. For wallet and payout-side transactions, see Customer finance and wallet.
Every endpoint here resolves the principal via @CurrentCustomerOrUser(). If a User principal calls a customer endpoint, the response is scoped to the user's own customer record (if they have one) — there's no impersonation by default.