Integration blueprint

Connect any app to LetsOrderIt commerce

Use LetsOrderIt to manage payments, subscriptions, customers, CRM, and access levels for your external app. AccessGate handles login and verified access — your app focuses on the product experience. Draft v1.1 — Euro/global pricing examples.

Build the app anywhere. Run the business on LetsOrderIt. Your app = product experience AccessGate = login & access LetsOrderIt = commerce engine
Three use cases: (1) Creator login — manage the connected app. (2) Customer/member access — unlock features by LetsOrderIt plan or subscription. (3) Post-payment fulfillment — issue vouchers, bookings, files, or benefits after verified payment.
No matching topic found. Try searching for token, webhook, connect, payment, or showcase.
Core idea

Build the app anywhere. Run the business on LetsOrderIt.

This integration is not only about connecting a vibe-coded app to a payment webhook. LetsOrderIt becomes the commerce, subscription, customer, order, CRM, and Stripe/payment layer for external apps. AccessGate is the login, access, and permission bridge. Your app is the product experience — dashboard, member area, booking tool, voucher tool, AI tool, or other interface.

  • Your app handles the product. LetsOrderIt handles the business.
  • Turn any vibe-coded app into a paid SaaS, membership, booking, voucher, or service product without rebuilding billing, subscriptions, CRM, or access logic.
  • Documentation uses Euro/global pricing examples (e.g. Standard €9/month, Premium €29/month). Local currencies still work inside LetsOrderIt checkout where configured.
Architecture

How the pieces fit together

The clean model:

Creator creates paid/free access levels in LetsOrderIt
↓
Customer signs up or pays through LetsOrderIt
↓
LetsOrderIt stores customer, order, subscription, plan status, CRM record
↓
AccessGate becomes the login/access bridge
↓
Customer logs into the external app through AccessGate
↓
External app receives verified access level, benefits, and status
↓
External app unlocks Free / Standard / Premium / Enterprise features

LetsOrderIt

Showcases, items, free signup, paid & subscription items, Stripe checkout, orders, subscriptions, CRM, form settings, post-payment webhook.

AccessGate

Login gate, creator & customer login, JWT issuance, token verification, showcase switching, payment/subscription verification, proxy APIs.

Your Vibe App

App UI, creator/customer dashboards, feature unlocking by verified access level, fulfillment after verified payment, idempotent records.

Customer flow

Sign up or pay on LOIT → log in via AccessGate → app verifies access → unlock plan features.

Important distinction

Creator access vs customer/member access

1. Creator / admin access

For the creator who owns the app setup — hotel owner in SnapBooking, agency in an AI tool, voucher creator in SnapVoucher.

Verifies: who is the creator, which showcase they manage, creator plan, showcase switching.

2. Customer / member access

For the creator's customer, subscriber, member, or buyer — pays Premium through LetsOrderIt, then logs into the connected app.

Verifies: signup/payment status, active subscription, plan level, which features to unlock.

Existing docs cover creator login and payment fulfillment well. Customer/member access based on LetsOrderIt subscription or signup level is the key expansion — see Customer access flow.
Pricing

Two separate pricing layers

Layer A — What the creator pays LetsOrderIt

Controls what the creator can use: Free, Solo, Business, Enterprise/Custom. May limit connected apps, webhooks, AccessGate usage, team access, white-label, etc.

Layer B — What the creator charges their customers

Created inside LetsOrderIt as items — free signup, one-time payments, or subscriptions. The creator sets their own pricing:

  • Free access = €0
  • Standard = €9/month or €9.90/month
  • Premium = €29/month or €29.90/month
  • Enterprise = custom/manual

LetsOrderIt handles customer signup/payment/subscription; AccessGate tells the external app which level the customer has.

Creator setup

Creator setup flow inside LetsOrderIt

A creator should not need to build billing, subscriptions, Stripe, CRM, or customer access logic inside the external app. LetsOrderIt handles that.

  1. Create a LetsOrderIt account.
  2. Create or select a showcase/business.
  3. Enable the relevant Snap App or external app integration.
  4. Create access/payment items in LetsOrderIt (Free, Standard, Premium, Enterprise/custom).
  5. Configure each item as one-time payment, free signup, or subscription.
  6. Enable Stripe/payment methods where needed.
  7. Connect each LetsOrderIt item to the external app.
  8. Set the integration reference for each item (free, standard, premium, enterprise, etc.).
  9. Set or auto-write the post-payment webhook URL.
  10. Set or auto-write the post-payment redirect URL.
  11. Use AccessGate as the login page for the connected app.
  12. Customers sign up or pay through LetsOrderIt.
  13. Customers log into the connected app through AccessGate.
  14. The connected app unlocks access based on verified subscription/payment level.
Developer checklist

Recommended integration checklist

  1. Create a creator gate — request creator access, then create a CREATOR-type gate with your app URL as the destination.
  2. Wire creator login — send creators to https://accessgate.loit.site/g/{gate-id}?return_url=....
  3. Store session — set an HttpOnly cookie with the token and gate id; re-verify on each protected request.
  4. Add payment webhook — expose POST /api/loit/payment-confirmed.
  5. Verify before fulfilling — call AccessGate POST /api/verify-payment.
  6. Connect LOIT items — call POST /api/connect-loit-item from your creator UI.
Creator auth

Creator login through AccessGate

Redirect creators to your gate login page with a return URL back to your app.

https://accessgate.loit.site/g/your-app-creator-access?return_url=https://your-app.example/creator

After login, AccessGate redirects with ?token={ag_access JWT} (24h TTL). Exchange it for an HttpOnly session cookie and strip the token from the URL.

AppGate idCookie
SnapVouchersnapvoucher-creator-accesssnapvoucher_creator
SnapBookingsnapbooking-creator-accesssnapbooking_creator
SnapOffersnapoffer-creator-accesssnapoffer_creator
Token verification

Verify creator sessions

Call AccessGate from your server — not LOIT directly from the browser.

GET https://accessgate.loit.site/api/verify-token?token={ag_access JWT}

Response:
{
  "valid": true,
  "email": "creator@example.com",
  "business_id": "...",
  "business_slug": "my-showcase",
  "can_switch_showcases": true
}
API proxy

AccessGate public API routes

These proxy to LetsOrderIt NestJS /api/accessgate/*.

RoutePurpose
/api/verify-tokenValidate ag_access JWT
/api/switch-showcaseRe-issue token for another showcase
/api/verify-paymentConfirm LOIT order/subscription is paid
/api/connect-loit-itemPush form settings onto a LOIT item
/api/launch-from-tokenMy Apps token exchange between gates
Multi-showcase

Switching LetsOrderIt businesses

POST https://accessgate.loit.site/api/switch-showcase
{ "token": "{ag_access JWT}", "business_id": "{showcase UUID}" }

Public creator gates allow switching; invite-only gates fix the showcase per login.

Subscription engine

Use LetsOrderIt as your app's subscription engine

LetsOrderIt can manage your external app's customer plans, subscriptions, payment levels, customer records, Stripe payments, and access status. Your app should not duplicate billing logic — ask AccessGate whether the current customer has active access and which plan or benefits are available.

Creators define Free, Standard, Premium, Enterprise, or custom plans as LetsOrderIt items. Map verified access to features:

  • free → basic access
  • standard → normal tools
  • premium → advanced tools
  • enterprise → custom/unlimited/admin access
Customer access

Customer / member access flow

  1. Customer signs up or pays through a LetsOrderIt item or subscription.
  2. LetsOrderIt stores customer, order/subscription, item, plan, and CRM record.
  3. Customer logs into the connected app through AccessGate (gate linked to subscription item).
  4. App calls AccessGate to verify current access on each login.
  5. AccessGate returns access level, plan, and benefits.
  6. App unlocks features based on verified access — not browser URL params alone.
  7. Re-check on login so cancelled or expired subscriptions do not keep paid access.
Access contract

Recommended customer access API contract

Your app should ask: does this logged-in customer have access, and at what level?

Recommended routes (implement in your app, verify via AccessGate/LetsOrderIt):

  • GET /api/me/access
  • POST /api/verify-customer-access
  • GET /api/customer-subscriptions (via LetsOrderIt API where applicable)
{
  "valid": true,
  "customer_email": "customer@example.com",
  "customer_id": "customer_123",
  "creator_business_id": "business_123",
  "business_slug": "creator-showcase",
  "access_status": "active",
  "plan": "premium",
  "plan_source": "loit_subscription",
  "subscription_id": "sub_123",
  "item_id": "item_123",
  "integration_ref": "premium",
  "benefits": ["premium_dashboard", "advanced_exports", "priority_support"],
  "expires_at": "2026-08-01T00:00:00.000Z"
}

access_status values:

active, free, trial, pending, past_due, cancelled, expired, refunded, blocked, none

plan_source values:

loit_free_signup, loit_order, loit_form_order, loit_subscription, manual_access, enterprise_manual

Lifecycle

Subscription status and access changes

Every time a customer logs in, re-check access through AccessGate.

StatusRecommended behavior
activeAllow full mapped access
free / trialAllow mapped free/trial access
past_dueGrace period or billing message — your choice
cancelled / expired / refundedRemove paid access
blockedDeny access
noneShow signup or payment page
Connect item

Connect a LOIT item to your app

POST https://accessgate.loit.site/api/connect-loit-item
{
  "token": "{ag_access JWT}",
  "loit_payment_url": "https://app.letsorderit.com/my-showcase/offer/my-item",
  "action_text": "https://your-app.example/activate?template=vip-pass",
  "integration_ref": "vip-pass",
  "post_payment_webhook": "https://your-app.example/api/loit/payment-confirmed"
}

In plain English: the creator pastes a LetsOrderIt item URL into your app. The app writes redirect URL, webhook URL, and integration_ref back to the item — no manual Form Settings copy/paste.

integration_ref examples: free, standard, premium, vip-pass, two-night-booking, ai-tool-pro.

Form settings

LOIT form settings (creator-friendly)

Form Settings control what happens after submit or payment. Open any item in LetsOrderIt admin → Form settings:

  • Action on submit — normally page for connected apps
  • Redirect URL — customer goes to your app after checkout (UX only, not payment proof)
  • Post-payment webhook URL — signals your app to verify and fulfill
  • Integration reference — which plan, template, service, or feature this item represents

Example: Premium Plan item with integration_ref = premium. Webhook → your app. Redirect → activation page. After verified payment, unlock Premium features.

Important: Redirect URL alone does not prove payment. Always verify via webhook + AccessGate payment verify.
Payment webhook

Post-payment webhook from LOIT

LOIT POSTs after successful payment with user-agent: LetsOrderIt-PostPaymentWebhook/1.0. Treat the webhook as a notification only — there is no shared webhook secret.

{
  "event": "payment.completed",
  "payment_source": "loit_subscription" | "loit_form_order" | "loit_order",
  "order_id": "12345",
  "item_id": "...",
  "customer_email": "buyer@example.com",
  "paid_at": "2026-06-30T12:00:00.000Z",
  "context": { "integration_ref": "premium", "order_no": "12345" }
}

See Webhook security for the required handling steps.

Verify payment

Confirm payment before fulfilling

POST https://accessgate.loit.site/api/verify-payment
{ "payment_source": "loit_order", "order_id": "12345", "item_id": "..." }

Only fulfill when the response includes "valid": true.

Contract

Post-payment contract keys

Shared keys for redirects and webhooks:

  • integration_ref / template — your product slug
  • serial — existing issued ticket/pass id
  • order_id, order_no, subscription_id, item_id

Idempotency match order: serial → order_no (+ item) → subscription_id. See Idempotency.

Standard routes

Recommended routes for every vibe-coded app

RoutePurpose
/creatorCreator/admin dashboard after AccessGate login
/customer or /appCustomer/member app area after AccessGate login
/api/auth/accessgate/callbackReceives token, verifies, stores HttpOnly cookie, strips token from URL
/api/meReturns current session details
/api/me/accessReturns verified access level, plan, status, benefits
/api/loit/payment-confirmedReceives LOIT post-payment webhook
/api/loit/verify-paymentServer-side verification before fulfillment
/activatePost-payment redirect — UX only, never proof of payment
/connect-loit-itemCreator action to connect a LOIT item URL to the app
Golden rule

Redirect is only UX. Verification is the proof.

Redirect is only UX.

Webhook is only a signal.

Verification is the proof.

Fulfillment happens only after verified payment or verified active access.

  • Do not unlock, issue, book, deliver, or activate anything because the user reached a redirect URL.
  • Do not trust browser-provided plan names, item ids, or subscription ids.
  • Always verify server-side through AccessGate/LetsOrderIt before fulfilling.
Webhook security

How to handle post-payment webhooks safely

  1. Receive webhook at /api/loit/payment-confirmed.
  2. Store raw webhook event for debugging.
  3. Extract payment_source, order_id, item_id, subscription_id, integration_ref.
  4. Call AccessGate POST /api/verify-payment.
  5. If valid: true, fulfill idempotently.
  6. If not valid, mark unverified — do not fulfill.
  7. Return 200 when processing is accepted.

User-agent helps identify likely LOIT webhooks but is not security proof.

Idempotency

Do not fulfill twice

Before fulfilling, check whether this payment/subscription/order was already fulfilled.

Suggested idempotency keys:

  • serial — if ticket/pass already issued
  • order_no + item_id or order_id + item_id
  • subscription_id + integration_ref
  • customer_email + business_id + integration_ref — free signup

Store a fulfillment record:

{
  "fulfillment_key": "order_12345:item_678",
  "customer_email": "buyer@example.com",
  "business_id": "business_123",
  "integration_ref": "premium",
  "status": "fulfilled",
  "created_at": "2026-07-01T10:00:00.000Z"
}

If the same webhook arrives again, return success but do not issue duplicate benefits.

Planning

App planning checklist

For every connected app, define:

  • What does the creator sell?
  • Which LetsOrderIt item represents the sale or access level?
  • Is it free signup, one-time payment, or subscription?
  • What is the integration_ref?
  • Which webhook endpoint receives payment events?
  • Which app route shows the fulfilled result?
  • Which plan/features should be unlocked?
  • What happens if the subscription expires?
AI tools

Copy-paste prompt for Cursor, Lovable, Bolt, or Claude

Give this brief to your AI coding tool or developer. It includes architecture, routes, security rules, and fulfillment expectations from the LetsOrderIt + AccessGate blueprint.

Build this app using LetsOrderIt as the commerce, subscription, customer, order, CRM, and Stripe/payment layer. Do not build a separate billing/subscription system inside the app unless explicitly needed.

Use AccessGate as the login and access bridge between LetsOrderIt and this app.

The app must support two types of access:

1. Creator/Admin access
The creator logs in through AccessGate to manage the app, connect LetsOrderIt items, and configure what each item/subscription unlocks.

2. Customer/Member access
The customer signs up or pays through LetsOrderIt, then logs into this app through AccessGate. The app must unlock features based on the verified LetsOrderIt plan, item, subscription, integration_ref, and access status.

Core architecture:
- LetsOrderIt handles showcases, items, checkout, subscriptions, orders, customer records, CRM, Stripe payments, form settings, and webhooks.
- AccessGate handles login, token verification, access verification, showcase/business context, and proxy calls to LetsOrderIt.
- This app handles the product experience, UI, feature unlocking, and fulfillment after verified payment/access.

Required routes:
/creator — Creator/admin dashboard after AccessGate login.
/customer or /app — Customer/member area after AccessGate login.
/api/auth/accessgate/callback — Receives AccessGate token, verifies server-side, stores HttpOnly session cookie, strips token from URL.
/api/me — Returns the current logged-in user/session.
/api/me/access — Returns verified access level, plan, status, business/showcase, integration_ref, benefits, subscription/order info.
/api/loit/payment-confirmed — Receives LetsOrderIt post-payment webhook.
/api/loit/verify-payment — Server-side verification before fulfillment.
/activate — Post-payment redirect page. UX only — never proof of payment alone.
/connect-loit-item — Creator action to connect a LetsOrderIt item/payment URL to this app.

Golden security rule:
Redirect is only UX.
Webhook is only a signal.
Verification is the proof.
Fulfillment happens only after verified payment or verified active access.

Do not unlock, issue, book, deliver, or activate anything only because the user reached a redirect URL.
Do not trust browser-provided plan names, item ids, subscription ids, or integration_ref values.
Do not trust the webhook alone — there is no shared webhook secret.
Always verify server-side through AccessGate/LetsOrderIt before fulfilling.

Expected AccessGate creator login flow:
1. Redirect creator to: https://accessgate.loit.site/g/{gate-id}?return_url=https://your-app.example/creator
2. AccessGate redirects back with: ?token={ag_access JWT}
3. Verify the token server-side with AccessGate GET /api/verify-token
4. Store a secure HttpOnly session cookie
5. Remove the token from the visible URL

Expected customer/member access flow:
1. Customer signs up or pays through a LetsOrderIt item/subscription.
2. LetsOrderIt stores the customer, order/subscription, item, plan, and CRM record.
3. Customer logs into the connected app through AccessGate.
4. The app calls AccessGate to verify current access.
5. AccessGate returns current access level and benefits.
6. The app unlocks features based on verified access.
7. Re-check access on login so cancelled/expired subscriptions do not keep paid access.

Map access levels to app features, for example:
free -> basic access
standard -> normal tools
premium -> advanced tools
enterprise -> custom/unlimited/admin access

Expected post-payment webhook flow:
1. LetsOrderIt sends webhook to /api/loit/payment-confirmed
2. Store the raw event for debugging
3. Extract payment_source, order_id, item_id, subscription_id, customer_email, integration_ref
4. Call AccessGate POST https://accessgate.loit.site/api/verify-payment
5. Fulfill only if valid: true
6. Store an idempotency record so the same order/subscription cannot be fulfilled twice

Example payment verification:
POST https://accessgate.loit.site/api/verify-payment
{ "payment_source": "loit_subscription", "order_id": "12345", "item_id": "item_123" }

Idempotency keys (check before fulfilling):
- serial (if already issued)
- order_no + item_id
- order_id + item_id
- subscription_id + integration_ref
- customer_email + business_id + integration_ref (free signup)

Creator setup: create Free / Standard / Premium / Enterprise items in LetsOrderIt (https://app.letsorderit.com) with integration_ref values (free, standard, premium, enterprise). Use integration_ref and verified access status to decide what to unlock.
SnapVoucher

SnapVoucher — paid vouchers and QR tickets

Full integration: creator auth, connect LOIT item, post-payment webhook, multi-showcase.

  • Gate: snapvoucher-creator-access
  • Webhook: POST /api/loit/payment-confirmed
  • Connect: writes template slug as integration_ref
  • Fulfillment: issues QR voucher after verified payment
  • Creator docs: snapvoucher.loit.site/overview
SnapBooking

SnapBooking — paid bookings and services

Integration depth: full — same LOIT payment stack as SnapVoucher.

  • Gate: snapbooking-creator-access
  • Webhook: POST /api/loit/payment-confirmed
  • Connect: writes service slug as integration_ref
  • Fulfillment: marks booking paid and confirms reservation
SnapOffer

SnapOffer — link sharing and LOIT attribution

Auth + link import only — no payment webhooks or connect-loit-item.

  • Gate: snapoffer-creator-access (creator login only)
  • Imports LOIT showcase/item/form URLs into offer pages
  • Appends creator ref to LOIT links for attribution
  • Commerce stays on LetsOrderIt; SnapOffer is the social/link layer
Troubleshooting

Common integration issues

Session invalid after gate login

Verify via AccessGate /api/verify-token; confirm gate id in cookie matches.

Webhook fires but nothing fulfills

Call /api/verify-payment; check integration_ref matches your product.

Connect item showcase mismatch

Item URL must belong to the active showcase — switch showcase first.

Redirect creates duplicates on every refresh

Use order-based deduplication via order_no or subscription_id. See Idempotency.

Built with LetsOrderIt