Ingest

POST /cdp/ingest is a public, unauthenticated endpoint that the Shopify storefront Web Pixel posts to from the shopper’s browser. It is the one CDP route that takes no credential by design.

Why it is credential-free

A browser pixel bundle is fully extractable (View Source). It must therefore ship with no credential. The ingest proxy is the server-side half that makes this possible:

• The browser POSTs its pixel event with only a Content-Type header.
• The server injects the upstream Unomi credential server-side and forwards the validated payload upstream.
• A client-supplied Authorization header is ignored — the outgoing request is built from scratch and only ever carries the server’s own credential. The client can never influence the injected credential, and the credential never appears in a response body, response header, or log line.

Request

curl -s -X POST https://cdp.vyg.app/cdp/ingest \
  -H "Content-Type: application/json" \
  -H "Origin: https://your-shop.myshopify.com" \
  -d '{
    "source": { "scope": "your-shop.myshopify.com" },
    "events": [
      {
        "scope": "your-shop.myshopify.com",
        "eventType": "view",
        "properties": {}
      }
    ]
  }'

The body is the Unomi context.json event envelope. Send no credential — any Authorization you send is dropped.

Edge protections

• Origin lock. CORS is locked to storefront origins — any https://*.myshopify.com host plus explicitly configured custom storefront domains. A disallowed Origin is rejected (403) and never reflected; there is no * on this credentialed path.
• Scope binding. Every tenancy-bearing scope in the payload (source.scope, events[].scope, events[].target.scope) must equal the shop bound to the requesting Origin. A storefront cannot post events tagged with another shop’s scope (403).
• 64 KB body cap. A request body over 64 KB is rejected with 413 before it is parsed or forwarded.
• JSON guard. A non-JSON or non-object body is rejected with 400; only a validated JSON object is forwarded.
• Rate limit. The API Gateway stage applies a steady-state + burst throttle to this public path.

Response

Response contract is changing

A parallel change (CDLA-033) is moving ingest from a synchronous response to an asynchronous forward. Treat a successful ingest as 2xx:

• Today: the proxy returns the upstream Unomi status and body inline — typically 200.
• Soon (CDLA-033): ingest returns 202 Accepted as the event is forwarded asynchronously.

Branch on the 2xx class, not on the exact code, so your integration is correct through the transition.

On the edge-rejection paths the response is the standard error envelope (400, 403, 413, 502).