spree_api 5.4.0.beta4 → 5.4.0.beta6

data/app/serializers/spree/api/v3/order_serializer.rb

@@ -4,7 +4,7 @@ module Spree
       # Store API Order Serializer
       # Customer-facing order data
       class OrderSerializer < BaseSerializer
-        typelize number: :string, state: :string, token: :string, email: [:string, nullable: true],
+        typelize number: :string, state: :string, checkout_steps: 'string[]', token: :string, email: [:string, nullable: true],
                  special_instructions: [:string, nullable: true], currency: :string, locale: [:string, nullable: true], item_count: :number,
                  state_lock_version: :number, shipment_state: [:string, nullable: true], payment_state: [:string, nullable: true],
                  item_total: :string, display_item_total: :string,
@@ -17,7 +17,7 @@ module Spree
                  total: :string, display_total: :string, completed_at: [:string, nullable: true],
                  bill_address: { nullable: true }, ship_address: { nullable: true }
 
-        attributes :number, :state, :token, :email, :special_instructions,
+        attributes :number, :state, :checkout_steps, :token, :email, :special_instructions,
                    :currency, :locale, :item_count, :state_lock_version, :shipment_state, :payment_state,
                    :item_total, :display_item_total, :ship_total, :display_ship_total,
                    :adjustment_total, :display_adjustment_total, :promo_total, :display_promo_total,

data/app/serializers/spree/api/v3/payment_serializer.rb

@@ -6,7 +6,7 @@ module Spree
                  number: :string, amount: :string, display_amount: :string,
                  source_type: [:string, nullable: true, enum: %w[credit_card store_credit payment_source]],
                  source_id: [:string, nullable: true],
-                 source: 'StoreCreditCard | StoreStoreCredit | StorePaymentSource | null'
+                 source: 'CreditCard | StoreCredit | PaymentSource | null'
 
         attribute :payment_method_id do |payment|
           payment.payment_method&.prefixed_id

data/app/serializers/spree/api/v3/product_serializer.rb

@@ -11,8 +11,8 @@ module Spree
                  thumbnail_url: [:string, nullable: true],
                  available_on: [:string, nullable: true],
                  purchasable: :boolean, in_stock: :boolean, backorderable: :boolean, available: :boolean,
-                 price: 'StorePrice',
-                 original_price: ['StorePrice', nullable: true],
+                 price: 'Price',
+                 original_price: ['Price', nullable: true],
                  tags: [:string, multi: true]
 
         attributes :name, :description, :slug,
@@ -71,37 +71,37 @@ module Spree
         many :variant_images,
              key: :images,
              resource: Spree.api.image_serializer,
-             if: proc { params[:expand]&.include?('images') }
+             if: proc { expand?('images') }
 
         many :variants,
              resource: Spree.api.variant_serializer,
-             if: proc { params[:expand]&.include?('variants') }
+             if: proc { expand?('variants') }
 
         one :default_variant,
             resource: Spree.api.variant_serializer,
-            if: proc { params[:expand]&.include?('default_variant') }
+            if: proc { expand?('default_variant') }
 
         one :master,
             key: :master_variant,
             resource: Spree.api.variant_serializer,
-            if: proc { params[:expand]&.include?('master_variant') }
+            if: proc { expand?('master_variant') }
 
         many :option_types,
              resource: Spree.api.option_type_serializer,
-             if: proc { params[:expand]&.include?('option_types') }
+             if: proc { expand?('option_types') }
 
         many :taxons,
              proc { |taxons, params|
                taxons.select { |t| t.taxonomy.store_id == params[:store].id }
              },
-             resource: Spree.api.taxon_serializer,
-             if: proc { params[:expand]&.include?('taxons') },
-             params: { expand: [] }
+             key: :categories,
+             resource: Spree.api.category_serializer,
+             if: proc { expand?('categories') }
 
         many :public_metafields,
              key: :metafields,
              resource: Spree.api.metafield_serializer,
-             if: proc { params[:expand]&.include?('metafields') }
+             if: proc { expand?('metafields') }
       end
     end
   end

data/app/serializers/spree/api/v3/shipping_category_serializer.rb

@@ -0,0 +1,11 @@
+module Spree
+  module Api
+    module V3
+      class ShippingCategorySerializer < BaseSerializer
+        typelize name: :string
+
+        attributes :id, :name
+      end
+    end
+  end
+end

data/app/serializers/spree/api/v3/shipping_rate_serializer.rb

@@ -3,17 +3,13 @@ module Spree
     module V3
       class ShippingRateSerializer < BaseSerializer
         typelize name: :string, selected: :boolean, shipping_method_id: :string,
-                 cost: :number, display_cost: :string
+                 cost: :string, display_cost: :string
 
         attribute :shipping_method_id do |shipping_rate|
           shipping_rate.shipping_method&.prefixed_id
         end
 
-        attributes :name, :selected
-
-        attribute :cost do |shipping_rate|
-          shipping_rate.cost.to_f
-        end
+        attributes :name, :selected, :cost
 
         attribute :display_cost do |shipping_rate|
           shipping_rate.display_cost.to_s

data/app/serializers/spree/api/v3/tax_category_serializer.rb

@@ -0,0 +1,11 @@
+module Spree
+  module Api
+    module V3
+      class TaxCategorySerializer < BaseSerializer
+        typelize name: :string
+
+        attributes :id, :name
+      end
+    end
+  end
+end

data/app/serializers/spree/api/v3/variant_serializer.rb

@@ -9,8 +9,8 @@ module Spree
                  thumbnail: [:string, nullable: true],
                  purchasable: :boolean, in_stock: :boolean, backorderable: :boolean,
                  weight: [:number, nullable: true], height: [:number, nullable: true], width: [:number, nullable: true], depth: [:number, nullable: true],
-                 price: 'StorePrice',
-                 original_price: ['StorePrice', nullable: true]
+                 price: 'Price',
+                 original_price: ['Price', nullable: true]
 
         attribute :product_id do |variant|
           variant.product&.prefixed_id
@@ -72,14 +72,14 @@ module Spree
         # Conditional associations
         many :images,
              resource: Spree.api.image_serializer,
-             if: proc { params[:expand]&.include?('images') }
+             if: proc { expand?('images') }
 
         many :option_values, resource: Spree.api.option_value_serializer
 
         many :public_metafields,
              key: :metafields,
              resource: Spree.api.metafield_serializer,
-             if: proc { params[:expand]&.include?('metafields') }
+             if: proc { expand?('metafields') }
       end
     end
   end

data/app/serializers/spree/api/v3/wishlist_serializer.rb

@@ -18,7 +18,7 @@ module Spree
         many :wished_items,
              key: :items,
              resource: Spree.api.wished_item_serializer,
-             if: proc { params[:expand]&.include?('items') }
+             if: proc { expand?('items') }
       end
     end
   end

data/app/services/spree/api/v3/filters_aggregator.rb

@@ -2,22 +2,20 @@ module Spree
   module Api
     module V3
       class FiltersAggregator
-        SORT_OPTION_IDS = Spree::Taxon::SORT_ORDERS
-
-        # @param scope [ActiveRecord::Relation] Base product scope (already filtered by store, availability, taxon, etc.)
+        # @param scope [ActiveRecord::Relation] Base product scope (already filtered by store, availability, category, etc.)
         # @param currency [String] Currency for price range
-        # @param taxon [Spree::Taxon, nil] Optional taxon for default_sort and taxon filtering context
-        def initialize(scope:, currency:, taxon: nil)
+        # @param category [Spree::Category, nil] Optional category for default_sort and category filtering context
+        def initialize(scope:, currency:, category: nil)
           @scope = scope
           @currency = currency
-          @taxon = taxon
+          @category = category
         end
 
         def call
           {
             filters: build_filters,
             sort_options: sort_options,
-            default_sort: @taxon&.sort_order || 'manual',
+            default_sort: to_api_sort(@category&.sort_order || 'manual'),
             total_count: @scope.distinct.count
           }
         end
@@ -29,12 +27,20 @@ module Spree
             price_filter,
             availability_filter,
             *option_type_filters,
-            taxon_filter
+            category_filter
           ].compact
         end
 
         def sort_options
-          SORT_OPTION_IDS.map { |id| { id: id } }
+          Spree::Taxon::SORT_ORDERS.map { |id| { id: to_api_sort(id) } }
+        end
+
+        # Converts internal sort format ('price asc') to API format ('price', '-price')
+        def to_api_sort(sort_value)
+          return sort_value unless sort_value.include?(' ')
+
+          field, direction = sort_value.split(' ', 2)
+          direction == 'desc' ? "-#{field}" : field
         end
 
 
@@ -87,7 +93,7 @@ module Spree
 
         def option_value_data(option_type, option_value)
           # Count products in scope that have this option value
-          # We use a subquery approach to avoid GROUP BY conflicts when scope includes joins (like in_taxon)
+          # We use a subquery approach to avoid GROUP BY conflicts when scope includes joins (like in_category)
           # Join directly to option_value_variants for efficiency (skips joining through option_values table)
           count = Spree::Product
             .where(id: base_scope_product_ids)
@@ -109,31 +115,31 @@ module Spree
           @base_scope_product_ids ||= @scope.reorder('').distinct.pluck(:id)
         end
 
-        def taxon_filter
-          return nil if @taxon.nil?
+        def category_filter
+          return nil if @category.nil?
 
-          # Get child taxons at the next depth level
-          child_taxons = @taxon.children.order(:lft).select do |child|
-            # Only include taxons that have products in the current scope
-            @scope.in_taxon(child).exists?
+          # Get child categories at the next depth level
+          child_categories = @category.children.order(:lft).select do |child|
+            # Only include categories that have products in the current scope
+            @scope.in_category(child).exists?
           end
 
-          return nil if child_taxons.empty?
+          return nil if child_categories.empty?
 
           {
-            id: 'taxons',
-            type: 'taxon',
-            options: child_taxons.map { |t| taxon_option_data(t) }
+            id: 'categories',
+            type: 'category',
+            options: child_categories.map { |c| category_option_data(c) }
           }
         end
 
-        def taxon_option_data(taxon)
-          count = @scope.in_taxon(taxon).distinct.count
+        def category_option_data(category)
+          count = @scope.in_category(category).distinct.count
 
           {
-            id: taxon.prefixed_id,
-            name: taxon.name,
-            permalink: taxon.permalink,
+            id: category.prefixed_id,
+            name: category.name,
+            permalink: category.permalink,
             count: count
           }
         end

data/app/services/spree/webhooks/deliver_webhook.rb

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
-require 'net/http'
+require 'ssrf_filter'
 require 'openssl'
 
 module Spree
@@ -49,32 +49,38 @@ module Spree
       private
 
       def make_request
-        uri = URI.parse(@delivery.url)
-        http = Net::HTTP.new(uri.host, uri.port)
-        http.use_ssl = uri.scheme == 'https'
-        http.verify_mode = ssl_verify_mode
-        http.open_timeout = TIMEOUT
-        http.read_timeout = TIMEOUT
-
-        request = Net::HTTP::Post.new(uri.request_uri)
-        request['Content-Type'] = 'application/json'
-        request['User-Agent'] = 'Spree-Webhooks/1.0'
-        request['X-Spree-Webhook-Signature'] = generate_signature
-        request['X-Spree-Webhook-Event'] = @delivery.event_name
-        request.body = @delivery.payload.to_json
-
-        http.request(request)
+        SsrfFilter.post(
+          @delivery.url,
+          headers: {
+            'Content-Type' => 'application/json',
+            'User-Agent' => 'Spree-Webhooks/1.0',
+            'X-Spree-Webhook-Signature' => generate_signature,
+            'X-Spree-Webhook-Timestamp' => webhook_timestamp.to_s,
+            'X-Spree-Webhook-Event' => @delivery.event_name
+          },
+          body: @delivery.payload.to_json,
+          http_options: {
+            open_timeout: TIMEOUT,
+            read_timeout: TIMEOUT,
+            verify_mode: ssl_verify_mode
+          }
+        )
       end
 
       def generate_signature
         payload_json = @delivery.payload.to_json
-        OpenSSL::HMAC.hexdigest('SHA256', @secret_key, payload_json)
+        OpenSSL::HMAC.hexdigest('SHA256', @secret_key, "#{webhook_timestamp}.#{payload_json}")
+      end
+
+      def webhook_timestamp
+        @webhook_timestamp ||= Time.current.to_i
       end
 
       def ssl_verify_mode
         if Spree::Api::Config.webhooks_verify_ssl
           OpenSSL::SSL::VERIFY_PEER
         else
+          Rails.logger.warn('[Spree] Webhook SSL verification is disabled. This is not recommended for production environments.')
           OpenSSL::SSL::VERIFY_NONE
         end
       end

data/app/subscribers/spree/webhook_event_subscriber.rb

@@ -48,7 +48,7 @@ module Spree
       )
 
       # Queue the delivery job
-      Spree::WebhookDeliveryJob.perform_later(delivery.id, endpoint.secret_key)
+      Spree::WebhookDeliveryJob.perform_later(delivery.id)
     rescue StandardError => e
       Rails.logger.error "[Spree Webhooks] Error queuing delivery for endpoint #{endpoint.id}: #{e.message}"
       Rails.error.report(e)

data/config/initializers/alba.rb

@@ -1,4 +1,4 @@
-Alba.backend = :oj
+Alba.backend = :oj_rails
 Alba.inflector = :active_support
 
 # Custom types

data/config/initializers/typelizer.rb

@@ -2,24 +2,34 @@
 # via `bundle exec rake typelizer:generate`. Set ENABLE_TYPELIZER=1 to enable.
 ENV["DISABLE_TYPELIZER"] ||= "true" unless ENV["ENABLE_TYPELIZER"]
 
-Typelizer.configure do |config|
+Rails.application.config.after_initialize do
   api_root = Spree::Api::Engine.root
 
-  config.dirs = [
-    api_root.join('app/serializers/spree/api/v3'),
-    api_root.join('app/serializers/spree/api/v3/admin')
-  ]
-  config.output_dir = api_root.join('../../packages/sdk/src/types/generated')
-  config.comments = true
+  Typelizer.configure do |config|
+    config.dirs = [api_root.join('app/serializers/spree/api/v3')]
+    config.comments = true
+    config.listen = false
 
-  # Type names: StoreProduct, AdminProduct, etc.
-  config.serializer_name_mapper = ->(serializer) {
-    name = serializer.name.to_s
-      .sub(/\ASpree::Api::V3::Admin::/, 'Admin')
-      .sub(/\ASpree::Api::V3::/, 'Store')
-      .sub(/Serializer\z/, '')
-    name
-  }
+    # Store SDK — no prefix, package provides namespace
+    config.writer(:store) do |c|
+      c.output_dir = api_root.join('../../packages/sdk/src/types/generated')
+      c.reject_class = ->(serializer:) { serializer.name.to_s.include?('::Admin::') }
+      c.serializer_name_mapper = ->(serializer) {
+        serializer.name.to_s
+          .sub(/\ASpree::Api::V3::/, '')
+          .sub(/Serializer\z/, '')
+      }
+    end
 
-  config.listen = false # https://github.com/skryukov/typelizer?tab=readme-ov-file#automatic-generation-in-development
+    # Admin SDK — no prefix, package provides namespace
+    config.writer(:admin) do |c|
+      c.output_dir = api_root.join('../../packages/admin-sdk/src/types/generated')
+      c.reject_class = ->(serializer:) { !serializer.name.to_s.include?('::Admin::') }
+      c.serializer_name_mapper = ->(serializer) {
+        serializer.name.to_s
+          .sub(/\ASpree::Api::V3::Admin::/, '')
+          .sub(/Serializer\z/, '')
+      }
+    end
+  end
 end

data/config/locales/en.yml

@@ -6,6 +6,7 @@ en:
       invalid_api_key: Invalid API key (%{key}) specified.
       invalid_resource: Invalid resource. Please fix errors and try again.
       invalid_taxonomy_id: Invalid taxonomy id.
+      current_password_invalid: Current password is invalid or missing
       must_specify_api_key: You must specify an API key.
       negative_quantity: quantity is negative
       order:
@@ -23,6 +24,10 @@ en:
       shipment_transfer_success: Variants successfully transferred
       stock_location_required: A stock_location_id parameter must be provided in order to retrieve stock movements.
       unauthorized: You are not authorized to perform that action.
+      v3:
+        payments:
+          session_required: This payment method requires a payment session. Use the payment sessions endpoint instead.
+          method_unavailable: This payment method is not available for this order.
       v2:
         cart:
           no_coupon_code: No coupon code provided and the Order doesn't have any coupon code promotions applied

data/config/routes.rb

@@ -4,12 +4,11 @@ Spree::Core::Engine.add_routes do
       namespace :store do
         # Authentication
         post 'auth/login', to: 'auth#create'
-        post 'auth/register', to: 'auth#register'
         post 'auth/refresh', to: 'auth#refresh'
         post 'auth/oauth/callback', to: 'auth#oauth_callback'
 
-        # Store
-        resource :store, only: [:show]
+        # Customer registration
+        resources :customers, only: [:create]
 
         # Markets
         resources :markets, only: [:index, :show] do
@@ -30,9 +29,8 @@ Spree::Core::Engine.add_routes do
             get :filters, to: 'products/filters#index'
           end
         end
-        resources :taxonomies, only: [:index, :show]
-        resources :taxons, only: [:index, :show], id: /.+/ do
-          resources :products, only: [:index], controller: 'taxons/products'
+        resources :categories, only: [:index, :show], id: /.+/ do
+          resources :products, only: [:index], controller: 'categories/products'
         end
 
         # Cart
@@ -53,7 +51,7 @@ Spree::Core::Engine.add_routes do
           resource :store_credits, only: [:create, :destroy], controller: 'orders/store_credits'
           resources :line_items, only: [:create, :update, :destroy], controller: 'orders/line_items'
           resources :coupon_codes, only: [:create, :destroy], controller: 'orders/coupon_codes'
-          resources :payments, only: [:index, :show], controller: 'orders/payments'
+          resources :payments, only: [:index, :show, :create], controller: 'orders/payments'
           resources :payment_methods, only: [:index], controller: 'orders/payment_methods'
           resources :payment_sessions, only: [:create, :show, :update], controller: 'orders/payment_sessions' do
             member do
@@ -63,10 +61,12 @@ Spree::Core::Engine.add_routes do
           resources :shipments, only: [:index, :show, :update], controller: 'orders/shipments'
         end
 
-        # Customer
+        # Customer (current user profile)
+        get 'customer', to: 'customers#show'
+        patch 'customer', to: 'customers#update'
+
+        # Customer nested resources
         namespace :customer, path: 'customer' do
-          get '/', to: 'account#show'
-          patch '/', to: 'account#update'
           resources :addresses, only: [:index, :show, :create, :update, :destroy] do
             member do
               patch :mark_as_default

data/lib/spree/api/configuration.rb

@@ -10,9 +10,11 @@ module Spree
       preference :api_v2_per_page_limit, :integer, default: 500
 
       preference :jwt_expiration, :integer, default: 3600 # 1 hour in seconds
+      preference :jwt_secret_key, :string, default: nil
 
-      # Rate limiting (requests per minute)
+      # Rate limiting
       preference :rate_limit_per_key, :integer, default: 300 # per publishable API key
+      preference :rate_limit_window, :integer, default: 60 # window in seconds
       preference :rate_limit_login, :integer, default: 5 # per IP
       preference :rate_limit_register, :integer, default: 3 # per IP
       preference :rate_limit_refresh, :integer, default: 10 # per IP

data/lib/spree/api/dependencies.rb

@@ -4,6 +4,7 @@ module Spree
   module Api
     class ApiDependencies
       INJECTION_POINTS_WITH_DEFAULTS = {
+        # Legacy API v2 dependencies - will be removed in Spree 6
         # cart services
         storefront_cart_create_service: -> { Spree::Dependencies.cart_create_service },
         storefront_cart_add_item_service: -> { Spree::Dependencies.cart_add_item_service },
@@ -66,6 +67,8 @@ module Spree
         storefront_estimated_shipment_serializer: 'Spree::V2::Storefront::EstimatedShippingRateSerializer',
         storefront_store_serializer: 'Spree::V2::Storefront::StoreSerializer',
         storefront_policy_serializer: 'Spree::V2::Storefront::PolicySerializer',
+        storefront_post_category_serializer: 'Spree::V2::Storefront::PostCategorySerializer',
+        storefront_post_serializer: 'Spree::V2::Storefront::PostSerializer',
         storefront_order_serializer: 'Spree::V2::Storefront::OrderSerializer',
         storefront_variant_serializer: 'Spree::V2::Storefront::VariantSerializer',
         storefront_image_serializer: 'Spree::V2::Storefront::ImageSerializer',
@@ -109,21 +112,21 @@ module Spree
         country_serializer: 'Spree::Api::V3::CountrySerializer',
         market_serializer: 'Spree::Api::V3::MarketSerializer',
         state_serializer: 'Spree::Api::V3::StateSerializer',
-        store_serializer: 'Spree::Api::V3::StoreSerializer',
         wishlist_serializer: 'Spree::Api::V3::WishlistSerializer',
         wished_item_serializer: 'Spree::Api::V3::WishedItemSerializer',
         payment_method_serializer: 'Spree::Api::V3::PaymentMethodSerializer',
         shipping_method_serializer: 'Spree::Api::V3::ShippingMethodSerializer',
         shipping_rate_serializer: 'Spree::Api::V3::ShippingRateSerializer',
         stock_location_serializer: 'Spree::Api::V3::StockLocationSerializer',
-        taxonomy_serializer: 'Spree::Api::V3::TaxonomySerializer',
-        taxon_serializer: 'Spree::Api::V3::TaxonSerializer',
+        category_serializer: 'Spree::Api::V3::CategorySerializer',
         order_promotion_serializer: 'Spree::Api::V3::OrderPromotionSerializer',
         digital_link_serializer: 'Spree::Api::V3::DigitalLinkSerializer',
         gift_card_serializer: 'Spree::Api::V3::GiftCardSerializer',
         currency_serializer: 'Spree::Api::V3::CurrencySerializer',
         locale_serializer: 'Spree::Api::V3::LocaleSerializer',
         metafield_serializer: 'Spree::Api::V3::MetafieldSerializer',
+        shipping_category_serializer: 'Spree::Api::V3::ShippingCategorySerializer',
+        tax_category_serializer: 'Spree::Api::V3::TaxCategorySerializer',
 
         # v3 event serializers (for models without Store API endpoints yet)
         asset_serializer: 'Spree::Api::V3::AssetSerializer',
@@ -152,9 +155,32 @@ module Spree
         admin_variant_serializer: 'Spree::Api::V3::Admin::VariantSerializer',
         admin_price_serializer: 'Spree::Api::V3::Admin::PriceSerializer',
         admin_metafield_serializer: 'Spree::Api::V3::Admin::MetafieldSerializer',
-        admin_taxon_serializer: 'Spree::Api::V3::Admin::TaxonSerializer',
+        admin_category_serializer: 'Spree::Api::V3::Admin::CategorySerializer',
         admin_line_item_serializer: 'Spree::Api::V3::Admin::LineItemSerializer',
-        admin_taxonomy_serializer: 'Spree::Api::V3::Admin::TaxonomySerializer',
+        admin_option_type_serializer: 'Spree::Api::V3::Admin::OptionTypeSerializer',
+        admin_option_value_serializer: 'Spree::Api::V3::Admin::OptionValueSerializer',
+        admin_image_serializer: 'Spree::Api::V3::Admin::ImageSerializer',
+        admin_asset_serializer: 'Spree::Api::V3::Admin::AssetSerializer',
+        admin_stock_item_serializer: 'Spree::Api::V3::Admin::StockItemSerializer',
+        admin_shipment_serializer: 'Spree::Api::V3::Admin::ShipmentSerializer',
+        admin_payment_serializer: 'Spree::Api::V3::Admin::PaymentSerializer',
+        admin_refund_serializer: 'Spree::Api::V3::Admin::RefundSerializer',
+        admin_adjustment_serializer: 'Spree::Api::V3::Admin::AdjustmentSerializer',
+        admin_shipping_category_serializer: 'Spree::Api::V3::Admin::ShippingCategorySerializer',
+        admin_tax_category_serializer: 'Spree::Api::V3::Admin::TaxCategorySerializer',
+        admin_return_authorization_serializer: 'Spree::Api::V3::Admin::ReturnAuthorizationSerializer',
+        admin_reimbursement_serializer: 'Spree::Api::V3::Admin::ReimbursementSerializer',
+        admin_admin_user_serializer: 'Spree::Api::V3::Admin::AdminUserSerializer',
+        admin_address_serializer: 'Spree::Api::V3::Admin::AddressSerializer',
+        admin_shipping_method_serializer: 'Spree::Api::V3::Admin::ShippingMethodSerializer',
+        admin_stock_location_serializer: 'Spree::Api::V3::Admin::StockLocationSerializer',
+        admin_shipping_rate_serializer: 'Spree::Api::V3::Admin::ShippingRateSerializer',
+        admin_order_promotion_serializer: 'Spree::Api::V3::Admin::OrderPromotionSerializer',
+        admin_payment_method_serializer: 'Spree::Api::V3::Admin::PaymentMethodSerializer',
+        admin_credit_card_serializer: 'Spree::Api::V3::Admin::CreditCardSerializer',
+        admin_store_credit_serializer: 'Spree::Api::V3::Admin::StoreCreditSerializer',
+        admin_payment_source_serializer: 'Spree::Api::V3::Admin::PaymentSourceSerializer',
+        admin_digital_link_serializer: 'Spree::Api::V3::Admin::DigitalLinkSerializer',
 
         # platform serializers
         platform_metafield_serializer: 'Spree::Api::V2::Platform::MetafieldSerializer',

data/lib/spree/api/engine.rb

@@ -24,6 +24,21 @@ module Spree
         Spree.subscribers << Spree::WebhookEventSubscriber
       end
 
+      # Warn in production if no dedicated JWT secret key is configured
+      config.after_initialize do
+        next unless Rails.env.production?
+
+        if Spree::Api::Config[:jwt_secret_key].blank? &&
+           Rails.application.credentials.jwt_secret_key.blank? &&
+           ENV['JWT_SECRET_KEY'].blank?
+          Rails.logger.warn(
+            '[Spree] No dedicated JWT secret key configured. Falling back to Rails.application.secret_key_base. ' \
+            'Set Spree::Api::Config[:jwt_secret_key], Rails credentials jwt_secret_key, or ENV["JWT_SECRET_KEY"] ' \
+            'for improved security.'
+          )
+        end
+      end
+
       def self.root
         @root ||= Pathname.new(File.expand_path('../../..', __dir__))
       end