Your data, on tap. For whoever needs it.
The MISE AN PLACE API gives you (or whoever you hire) read access to your tenant's orders, products, and customers — plus signed webhook events on every state change. Build whatever you need on top: accounting integrations, mobile apps, custom reports, Slack pings.
Start here
There are two kinds of people on this page.
MISE AN PLACE is for food businesses (we call them operators). The API is for the operator or anyone they hand a key to. Pick whichever applies to you.
Path A
You're the operator
You run a bakery, catering company, meal-prep, etc. You're a MISE AN PLACE customer. Your dashboard has an API keys section under Settings.
What you'll do
- Sign in to your MISE AN PLACE dashboard
- Generate a scoped API key (read-only by default)
- Use it yourself, or hand it to your developer
Don't have an account yet? Start your 14-day trial.
Path B
You're a developer they hired
A food business asked you to plug their MISE AN PLACE storefront into Xero, Slack, a custom report — anything. You don't sign up here. The operator does, and generates a key for you.
What you'll do
- Ask the operator for an API key with the right scopes
- Get the storefront's API base (their domain + /api/v1)
- Build against the reference below
Tip: a password manager is the right way to receive a key — not email, not Slack.
No separate developer account. MISE AN PLACE does not have a "developer portal" you sign up for. There is exactly one kind of account: the operator. Anyone else interacts via a key the operator issued.
What you can build
Real things, real businesses build.
These aren't theoretical. Each example has been done by a tenant or partner with a few hours of dev time.
Sync orders to your accounting tool
Pull every paid order into Xero, QuickBooks, FreshBooks, or your bookkeeper's spreadsheet — automatically, every day.
Cron job → GET /api/v1/orders?since=yesterday → write to Xero
Build a companion mobile app
Let staff mark orders ready or out-for-delivery from a phone. Or give VIP customers a private re-order app.
iOS / Android app → bearer-token requests to your storefront
Sync inventory or recipes
Push product changes from your inventory tool into MISE AN PLACE, or pull production sheets into your ERP.
Inventory webhook fires → POST product update → menu refreshes
Pipe events into Slack, Discord, SMS
Get a Slack ping the moment a $500+ catering order comes in, or text the kitchen lead at cutoff.
order.locked webhook → Zapier → Slack channel
Custom reports + BI dashboards
Pull orders into Metabase, Looker, or Google Sheets to slice revenue, products, customers however you want.
Daily script → /api/v1/orders → load into BigQuery
Connect to anything else
ERPs, CRMs, loyalty platforms, marketing tools — if it speaks REST or webhooks, it speaks to MISE AN PLACE.
Mailchimp / HubSpot / Klaviyo / your custom app
Quickstart · Path A
If you're the operator.
Three steps to a key your team or your developer can use.
01
Open your MISE AN PLACE dashboard
dashboard.misean.place — or your custom subdomain. You'll need to be an owner to manage API keys.02
Generate a scoped key
03
Hand it to your developer (or use it yourself)
https://heirspears.com/api/v1).Quickstart · Path B
If you're the developer.
You're not a MISE AN PLACE customer — your client is. Here's how the handoff works.
01
Get a key from the operator who hired you
read:orders for an accounting integration).02
Confirm the API base
/api/v1 appended. Custom domains (heirspears.com) and platform subdomains (heirspears.misean.place) both work — pick whichever the operator uses publicly.03
Make your first request, then wire webhooks
GET /api/v1/orders with the bearer token. For real-time integrations, ask the operator to add your webhook URL in Settings → Webhooks and share the signing secret with you the same way they shared the key.Reference
Endpoints + payloads.
All examples use heirspears.com as the storefront domain. Replace it with yours. Custom subdomains work too — yourbiz.misean.place is equally valid.
Authentication
Every endpoint requires a Bearer token in the Authorization header. Keys are scoped per-permission and per-tenant — there are no global admin keys.
curl https://heirspears.com/api/v1/orders \ -H "Authorization: Bearer mtx_live_..."
Rate limit: 600 req/min per key (2,400 on Pro). When exceeded, the response is HTTP 429 with Retry-After and X-RateLimit-Remaining headers.
Scopes: read:orders, read:products, read:customers. Pick the minimum a key needs.
GET /api/v1/products
List your active catalog. Useful for inventory sync, menu mirroring, or seeding a third-party search index.
curl https://heirspears.com/api/v1/products \ -H "Authorization: Bearer mtx_live_..."
{
"data": [
{
"id": "8f3...",
"name": "Country sourdough",
"slug": "country-sourdough",
"list_price_cents": 900,
"currency": "USD",
"category_id": "3a2...",
"dietary_tags": ["vegan"],
"is_active": true,
"updated_at": "2026-04-29T18:21:00Z"
}
],
"next_cursor": null
}Filter with ?category=loaves, ?since=2026-04-01T00:00:00Z, or ?limit=50 (max 200, paginate with cursor).
GET /api/v1/orders
List orders, most recent first. The endpoint most accounting + BI integrations will use daily.
curl "https://heirspears.com/api/v1/orders?status=delivered&since=2026-04-28" \ -H "Authorization: Bearer mtx_live_..."
{
"data": [
{
"id": "ord_...",
"order_number": "HP-00342",
"status": "delivered",
"subtotal_cents": 4500,
"tax_cents": 225,
"delivery_fee_cents": 800,
"total_cents": 5525,
"currency": "USD",
"customer": { "email": "amy@example.com", "name": "Amy K." },
"delivery_date": "2026-04-29",
"items": [ /* line items */ ],
"created_at": "2026-04-28T19:14:00Z",
"delivered_at": "2026-04-29T13:42:00Z"
}
],
"next_cursor": "eyJ..."
}Query params: status, since / until (ISO 8601), limit (max 200), cursor.
Webhooks
We POST JSON to URLs you configure in Settings → Webhooks. Every request includes an X-Mitryxa-Signature header (HMAC-SHA256 of the raw body, hex-encoded with your webhook secret).
Events you can subscribe to:
order.createdorder.lockedorder.in_productionorder.readyorder.out_for_deliveryorder.deliveredorder.cancelledorder.refundedquote.requestedquote.sentquote.convertedaccount.approvedaccount.declinedwholesale.appliedVerifying a payload (Node):
import crypto from "node:crypto";
export function isValidSignature(
rawBody: string,
signature: string,
secret: string,
): boolean {
const expected = crypto
.createHmac("sha256", secret)
.update(rawBody)
.digest("hex");
return crypto.timingSafeEqual(
Buffer.from(expected),
Buffer.from(signature),
);
}Retries: Failed deliveries (non-2xx) retry at 1m, 5m, 15m, 1h, 6h. Max 5 attempts before the event is marked failed in your webhook log.
Idempotency: Each event has a unique event_id. If you see the same event_id twice, it's a retry — handle it idempotently.
Security best practices
- Store keys in your secret manager, never in source control.
- Issue one key per integration. Revoke any key from Settings → API keys when rotating.
- Always verify the webhook signature before processing the payload.
- Use scopes — a Slack bot does not need
read:customers, justread:orders. - Never embed an API key in a public mobile app or front-end. Use a server-side proxy.
- Don't poll for changes when a webhook would do — saves rate-limit budget on both sides.
Errors
Errors return a JSON body with an error string and a status code.
- 401Missing, malformed, or invalid key.
- 403Key valid but missing the scope this endpoint requires.
- 404Resource not found in your tenant. (RLS — never an information leak about another tenant.)
- 429Rate limit exceeded. Wait the time in
Retry-Afterand retry. - 5xxServer-side issue. Retry with exponential backoff.
Hand this page to your developer. They'll know what to do.
Operators: open your dashboard. Developers: ask the operator who hired you for a key. No developer of your own? We'll connect you with someone who's shipped a MISE AN PLACE integration before.