The store is listed as a SMRT-enabled org
The BoxOwl Store appears in BoxOwl's public discovery catalogue of SMRT-enabled organizations. No JS snippet required on the store's side.
SMRT + PDaaS, working together.
The BoxOwl Store is a live storefront — printed-to-order owl merch, run by BoxOwl on the same APIs any developer would use. Browse it with the extension installed and it greets you by name. Connect your vault and checkout fills itself. No forms. No separate account.
What it shows
Three states. One storefront.
The BoxOwl Store adapts in real time based on how much BoxOwl knows about you.
01
Anonymous
Cold — no extension
A generic storefront. "BoxOwl Store." No personalization. The experience every non-BoxOwl visitor gets — it's just a store.
02
SMRT
Recognized — extension active
The BoxOwl extension detects the store's SMRT listing and injects a signed identity header. The hero changes: "Hey, @yourdomain.com folks." The store knows your community without knowing your name — no vault access, no connection required.
03
PDaaS
Personal — vault connected
After a one-tap BoxOwl connect, the store knows your name, accent color, and shipping address. The hero greets you by first name. Checkout pulls your address from the vault — zero typing, zero re-entry.
SMRT in the store
Recognition without a connection.
The first time a BoxOwl user lands on the store, they're already greeted — before they've clicked anything.
The extension fires a signed JWT on arrival
When a signed-in BoxOwl user navigates to store.boxowl.me, the extension injects a short-lived RS256 JWT as X-BoxOwl-Smrt on every request — carrying the user's opt-in preference profile (style, palette, region) with a rotating session UID, never an identifier.
The backend reads the preference signals from the JWT
The store server verifies the SMRT JWT against BoxOwl's published JWKS — no callback to BoxOwl per request. It doesn't get the user's name or vault — just the user-controlled preference profile. Enough to filter the catalogue by style affinity and theme the page palette before the first paint.
PDaaS in the store
Vault data, on demand.
One connect flow. Then checkout is a single tap — the store never stores your address.
User connects their BoxOwl vault
Clicking "Connect with BoxOwl" redirects to BoxOwl's hosted consent UI. The user grants access to identity and address categories, then lands back on the store with a grant code.
The store exchanges the grant code for a connection
The store backend posts the code to BoxOwl's /api/v1/org-connections/exchange-code endpoint. BoxOwl returns a personId — a stable handle the store uses for all future vault reads. No personal data is stored on the store's server.
Checkout pulls address and identity from the vault
When the user proceeds to checkout, the store calls GET /vault/identity and GET /vault/address. The name is shown for confirmation; the address is used at order placement. Every read is audit-logged by BoxOwl.
Webhooks keep the connection in sync
If the user revokes access from their BoxOwl app, BoxOwl sends a customer.connection-revoked webhook. The store immediately drops the personId and falls back to the anonymous state — no stale data left behind.
Why the store exists
Reference implementation, not just documentation.
The BoxOwl Store is a real deployment of the BoxOwl integration stack — the same APIs and flow any developer would use.
Live integration
The store hits real BoxOwl APIs on every visit. The SMRT token and vault reads are not mocked — they're the same calls your integration would make.
Open reference code
The source is available for inspection. The hero state machine, consent redirect, code exchange, and checkout vault read are all there to copy from.
Day-one integration guide
Pair the live store with the PDaaS and SMRT docs. You can reproduce the full integration in an afternoon — from beta token to vault-prefilled checkout.
No data stored
The store doesn't persist your name or address. It reads from the vault at checkout time and uses only the scopes you granted — exactly the pattern your app should follow.
User stays in control
The user can revoke the store's vault access at any time from the BoxOwl app. The store is notified via webhook and immediately falls back to anonymous state.
Gradual enhancement
Works as a plain store for everyone else. SMRT adds community context. PDaaS adds full personalization. Each layer is independently useful — you don't need both to ship.
Try it with the extension installed.
Install BoxOwl, sign in, then visit the store. Watch the hero change as you connect your vault — the whole integration, running live.
Build the same thing for your users.
Start with SMRT for lightweight recognition, or go straight to PDaaS for vault-backed checkout. Both are in private beta.
Not an organization? See features for individuals →