sumit-officeguylisted

# SUMIT (OfficeGuy) API ## Overview SUMIT (a.k.a. OfficeGuy) is a single, uniform Israeli billing/accounting REST API. - **Base URL:** `https://api.sumit.co.il` (legacy `https://www.myofficeguy.com` is equivalent). - **Every call is `POST`** with `Content-Type: application/json` and a JSON body containing a `Credentials` object. - **Every response uses one envelope:** `{ Status, UserErrorMessage, TechnicalErrorDetails, Data }`. - `Status`: **Success = 0**, **BusinessError = 1**, **TechnicalError = 2**. Treat `Status !== 0` as failure. - **Only exception:** `/api/accounting/documents/getpdf/` returns **raw PDF bytes**, not the envelope — read as ArrayBuffer/Blob, never `JSON.parse`. - Interactive docs / Swagger: `https://app.sumit.co.il/developers/api/`. Get keys: `https://app.sumit.co.il/developers/keys/`. - Set `Content-Language: he` (default) or `en` header for error-message language. ## ⚠️ CRITICAL — Two keys, two trust zones | Key | Where | Authorizes | |-----|-------|-----------| | **`APIPublicKey`** | **Browser** (payments.js, single-use tokenization, read-only transaction lookup) | Create single-use card tokens only — safe to expose. | | **`APIKey`** (secret) | **Server only** — NEVER ship to the browser | Real charges, documents, saved-card vault, recurring billing, admin. | In Next.js: charges/documents/webhooks run in route handlers/server actions with `APIKey`; the public key powers the client payment form. Use `NEXT_PUBLIC_` only for `CompanyID` and `API