> ## Documentation Index
> Fetch the complete documentation index at: https://docs.arcuserp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Create or initiate a connector connection

> Configures and activates a connector integration for the entity. Connector-specific settings
(e.g. Shopify store URL and access token, AvaTax company code) are validated before the
integration is saved. If the integration already exists, use `PATCH` to update settings.
Credentials are stored in AWS Secrets Manager; they are never written to the database.
Requires `integrations:write` scope.




## OpenAPI

````yaml /openapi.yaml post /integrations/{connector_type}
openapi: 3.1.0
info:
  title: Arcus ERP Public API
  version: 1.0.0
  description: >
    Arcus ERP public REST API. Designed for external integrations and data
    migration.


    **Authentication.** Bearer token (API key) via the `Authorization` header.

    Format: `Authorization: Bearer ark_live_ent_<code>_<random>` (or
    `ark_test_*` for sandbox).

    API keys are issued per-entity in **Settings > Developers > API Keys**.


    **Entity scoping.** The entity is encoded in the API key prefix; routes are
    flat

    (e.g. `/v1/accounts`, `/v1/orders`, `/v1/products`). A small set of platform
    endpoints

    (migration, reconciliation, events, webhook endpoints, API keys) use the

    `/v1/entities/{entity_id}/...` form -- those are noted in their tags.


    **Key capabilities.**
      - Related-resource hydration via `?expand[]=` (see `x-arcus-expand` on each resource).
      - Cursor-based pagination (`starting_after` / `ending_before` / `limit`).
      - Idempotency via the `Idempotency-Key` header.
      - Webhook events for asynchronous notification.
      - Conditional requests / ETag for cache validation.
servers:
  - url: https://api.arcuserp.com/v1
    description: Arcus ERP API (accepts both live `ark_live_*` and test `ark_test_*` keys)
  - url: https://dev-api.arcuserp.com/v1
    description: >-
      Dev sandbox API (test-only data, accepts `ark_test_*` keys against dev
      RDS)
security: []
paths:
  /integrations/{connector_type}:
    parameters:
      - name: connector_type
        in: path
        required: true
        description: >-
          Connector type. Enum: stripe, avatax, shippo, printnode, postmark,
          shopify, mapquest, google, openai, plaid, ups, fedex, usps, amazon,
          ebay, wwex
        schema:
          type: string
          enum:
            - stripe
            - avatax
            - shippo
            - printnode
            - postmark
            - shopify
            - mapquest
            - google
            - openai
            - plaid
            - ups
            - fedex
            - usps
            - amazon
            - ebay
            - wwex
    post:
      tags:
        - Integrations
      summary: Create or initiate a connector connection
      description: >
        Configures and activates a connector integration for the entity.
        Connector-specific settings

        (e.g. Shopify store URL and access token, AvaTax company code) are
        validated before the

        integration is saved. If the integration already exists, use `PATCH` to
        update settings.

        Credentials are stored in AWS Secrets Manager; they are never written to
        the database.

        Requires `integrations:write` scope.
      operationId: createIntegrationV1
      parameters:
        - $ref: '#/components/parameters/Idempotency'
      requestBody:
        required: false
        description: >
          Config-only body for Mode A connectors (most connectors).

          Body may NOT contain: credentials, secret, api_key, access_token,
          refresh_token,

          webhook_secret, credentials_secret_arn (422 returned if present).

          entity_id MUST NOT be in the body (derived from API key; 422 if
          present).


          Shopify (Mode B, OAuth): provide { shop: "mystore.myshopify.com",
          mode: "live" }.

          Response is 200 { object: "integration_oauth_required", oauth_url,
          expires_at }.

          Follow the oauth_url; poll GET /v1/integrations/shopify until
          is_active=true.


          7-day deletion-recovery: re-POST within 7 days of DELETE silently
          restores

          the prior credential blob from Secrets Manager (per
          project_shopify_expiring_tokens_contract).
        content:
          application/json:
            schema:
              type: object
              additionalProperties: false
              properties:
                mode:
                  type: string
                  enum:
                    - sandbox
                    - live
                display_name:
                  type: string
                config:
                  type: object
                  description: Provider-specific configuration JSON
                shop:
                  type: string
                  description: >-
                    Shopify only: merchant myshopify.com domain (e.g.
                    mystore.myshopify.com)
                ship_from_name:
                  type: string
                ship_from_address1:
                  type: string
                ship_from_city:
                  type: string
                ship_from_state:
                  type: string
                ship_from_zip:
                  type: string
                seller_id:
                  type: string
                  description: Amazon/eBay marketplace seller ID
                bank_account_id:
                  type: string
                  description: 'Plaid: bank account UUID to link'
      responses:
        '200':
          description: >
            Config-only (Mode A): created connector row.

            Shopify/OAuth (Mode B): { object: "integration_oauth_required",
            oauth_url, expires_at, hint }.
          content:
            application/json:
              schema:
                oneOf:
                  - $ref: '#/components/schemas/ConnectorRow'
                  - $ref: '#/components/schemas/IntegrationOAuthRequired'
        '400':
          $ref: '#/components/responses/Error'
        '401':
          $ref: '#/components/responses/Error'
        '403':
          $ref: '#/components/responses/Error'
        '422':
          description: 'forbidden_field: credentials or entity_id in request body'
          content:
            application/json:
              schema:
                type: object
                properties:
                  error:
                    type: string
                    example: forbidden_field
                  code:
                    type: string
                    example: forbidden_field
                  param:
                    type: string
                    description: The forbidden field name
                  hint:
                    type: string
      security:
        - ApiKeyAuth: []
components:
  parameters:
    Idempotency:
      name: Idempotency-Key
      in: header
      required: false
      description: >
        Client-generated unique key for idempotent POST/PATCH/DELETE operations.

        Max 255 chars. On retry with the same key, the original response is
        returned

        without re-executing the operation. Keys expire after 24 hours.

        Pattern: <random-uuid> or <client-prefix>-<operation>-<resource-id>.
      schema:
        type: string
        maxLength: 255
  schemas:
    ConnectorRow:
      type: object
      description: >
        A configured connector row from entity_connectors.

        SECURITY: credentials, webhook_secret, and credentials_secret_arn RAW
        VALUES

        are NEVER returned. has_credentials_secret_arn (boolean) indicates if

        credentials are stored. credentials_masked returns key names only (no
        values).

        These invariants are enforced by the canonical
        listConnectors/getConnectorByType

        handler projection and cannot be overridden by callers.
      properties:
        id:
          type: string
          format: uuid
        entity_id:
          type: string
          format: uuid
        connector_type:
          type: string
          enum:
            - stripe
            - avatax
            - shippo
            - printnode
            - postmark
            - shopify
            - mapquest
            - google
            - openai
            - plaid
            - ups
            - fedex
            - usps
            - amazon
            - ebay
            - wwex
        display_name:
          type: string
        mode:
          type: string
          enum:
            - sandbox
            - live
        is_active:
          type: boolean
        config:
          type: object
          description: Provider-specific configuration (opaque JSON)
        has_webhook_secret:
          type: boolean
          description: >-
            True if a webhook signing secret is configured (value never
            returned)
        has_credentials_secret_arn:
          type: boolean
          description: >-
            True if credentials are stored in AWS Secrets Manager (ARN never
            returned)
        last_sync_at:
          type: string
          format: date-time
          nullable: true
        sync_status:
          type: string
          nullable: true
        sync_error:
          type: string
          nullable: true
        ship_from_name:
          type: string
          nullable: true
        ship_from_address1:
          type: string
          nullable: true
        ship_from_city:
          type: string
          nullable: true
        ship_from_state:
          type: string
          nullable: true
        ship_from_zip:
          type: string
          nullable: true
        seller_id:
          type: string
          nullable: true
        bank_account_id:
          type: string
          format: uuid
          nullable: true
        created_at:
          type: string
          format: date-time
        updated_at:
          type: string
          format: date-time
    IntegrationOAuthRequired:
      type: object
      description: >
        Returned by POST /v1/integrations/{connector_type} when the connector

        requires OAuth (e.g. Shopify). The caller must redirect the user's
        browser

        to oauth_url to complete the connection. Poll GET /v1/integrations/:type

        until is_active=true after the user completes the OAuth flow.

        7-day deletion-recovery: if re-connecting within 7 days of a DELETE,

        the prior credential blob is restored from Secrets Manager
        automatically.
      required:
        - object
        - connector_type
        - oauth_url
        - expires_at
      properties:
        object:
          type: string
          enum:
            - integration_oauth_required
        connector_type:
          type: string
        oauth_url:
          type: string
          format: uri
          description: OAuth consent URL. Redirect the user's browser here.
        expires_at:
          type: string
          format: date-time
          description: When the OAuth state token expires (10 minutes from now)
        hint:
          type: string
          description: Human-readable instructions for the caller
    ErrorEnvelope:
      type: object
      description: |
        Canonical error response envelope. All API errors use this shape.
      required:
        - error
        - code
      properties:
        error:
          type: string
          description: Machine-readable error key
          example: not_found
        code:
          type: string
          description: Machine-readable error code (often same as error)
          example: not_found
        type:
          type: string
          enum:
            - validation_error
            - permission_error
            - not_found
            - conflict
            - rate_limit
            - internal
            - expand_error
            - not_implemented
          example: not_found
        hint:
          type: string
          description: Human-readable one-sentence explanation (English)
          example: >-
            The requested order does not exist or does not belong to this
            entity.
        param:
          type: string
          description: The parameter that caused the error, if applicable
          example: expand[0]
        required:
          type: string
          description: The scope required (only on insufficient_scope errors)
          example: accounts:read
        request_id:
          type: string
          description: >-
            Unique request ID for support tracing (maps to CloudWatch log
            stream)
          example: req_abc123
  responses:
    Error:
      description: Error response (400/401/403/404/409/422/429/500)
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ErrorEnvelope'
  securitySchemes:
    ApiKeyAuth:
      type: http
      scheme: bearer
      description: |
        API key issued per entity via Settings > Developers > API Keys.
        Each key carries scopes (e.g. orders:read, products:write).
        Bearer token format: Authorization: Bearer ark_live_ent_<code>_<random>
        Test keys use ark_test_ent_<code>_<random>. Both are issued per entity
        via Settings > Developers > API Keys.

````