What this audit checks
Authentication & access
- JWT bearer parses cleanly (HS512, payload contains appKey/sellerId/storeId/domain/exp)
- JWT exp claim > 30 days away (warn) / > 7 days (critical) - silent-expiry alarm
- Region credential matches JWT
domainclaim (us / apac / asean host alignment) - Authorization header attaches as ‘Bearer ’ (NOT raw token - Shopline expects Bearer prefix unlike OnBuy)
- Validate-endpoint /admin/openapi//orders.json?limit=1 returns 200 with orders payload
- shop.json / account.json / merchants.json 404 expected - derive identity from JWT, not from /shop
Catalogue & SEO completeness
- Products with empty body_html (missing description) - free conversion lift
- Variants with no SKU populated >5% of catalogue (breaks marketplace + 3PL integrations)
- Products missing primary image (variants without media)
- Products in ‘archived’ status still showing on storefront
- Tag sprawl - top-10 tags account for <40% of products (taxonomy decay)
Order & fulfilment SLA
- Unfulfilled paid orders aged >48h (3PL/warehouse drag)
- Avg time-to-fulfil >36h (slow ops)
- Fulfillment rate <90% on 30D vsP (broken shipping promises)
- Cancellation rate >3% (refund + rating impact)
- Partially-paid order count >5 outstanding (broken authorise-only flow)
Refunds & customer trust
- Refund rate >5% on 30D vsP (product quality / expectation mismatch)
- Rolling 24h refund rate >2× 30D baseline (anomaly)
- Top refunding customers - concentrated repeat-refunder fraud signal
- Refund value as % of revenue >8% (margin destroyer)
Inventory hygiene
- Zero/negative stock variants on active products (OOS but visible)
- Low-stock SKUs <10 units across >5% of catalogue
- Days-of-cover <7 on top-50 SKUs by velocity (stockout imminent)
- Inventory-feed staleness - updated_at >24h on active variants
Discount & margin discipline
- Discount % of revenue >25% sustained (promo dependency)
- Shipping cost as % of revenue >15% (subsidising delivery)
- AOV with discount vs without - gap >30% indicates margin cannibalisation
Cross-channel: leak vs Amazon / Ads / Email / Monitoring (the killer area)
- Amazon revenue share >70% on top SKUs (platform-dependency risk)
- Catalogue drift - same SKU, Shopline vs Amazon price delta >20% or title/image mismatch
- Active ads on OOS Shopline SKUs - daily spend on variants with inventory_quantity <= 0
- Revenue at risk per minute during a connected Datadog/New Relic incident (>$0 while incident open)
- Email-attributed revenue share <15% (email under-utilised) OR drop >20% vsP
- Top-velocity Amazon UK SKUs missing entirely from Shopline catalogue (assortment gap)
Severity thresholds
| Signal | Warn | Critical |
|---|---|---|
jwt_days_to_expiry | 30 | 7 |
unfulfilled_orders_aged_48h | 5 | 20 |
avg_fulfilment_hours | 24 | 36 |
fulfillment_rate_pct | 92 | 90 |
cancellation_rate_pct | 2 | 3 |
partial_paid_count | 5 | 15 |
refund_rate_pct | 3 | 5 |
refund_spike_multiplier | 1.5 | 2 |
refund_value_pct_of_revenue | 5 | 8 |
oos_active_variant_count | 1 | 10 |
low_stock_pct_of_catalogue | 3 | 5 |
days_of_cover_top_skus | 14 | 7 |
inventory_staleness_hours | 12 | 24 |
missing_descriptions_count | 1 | 10 |
sku_coverage_pct | 97 | 95 |
discount_pct_of_revenue | 20 | 25 |
shipping_pct_of_revenue | 12 | 15 |
amazon_revenue_share_pct | 10 | - |
catalogue_drift_count | 5 | 10 |
ads_on_oos_daily_spend | 1 | 25 |
email_revenue_share_pct | 15 | 10 |
consecutive_auth_failures | 1 | 3 |
Data sources
GET https://sl-open-{region}.myshopline.com/admin/openapi/{api_version}/orders.json- Auth probe + revenue/refund/fulfilment context (limit=1 = cheapest validate)GET https://sl-open-{region}.myshopline.com/admin/openapi/{api_version}/products.json- Catalogue completeness + SKU coverage + slow-mover detectionGET https://sl-open-{region}.myshopline.com/admin/openapi/{api_version}/customers.json- Customer count + repeat rate + top-spender concentrationGET https://sl-open-{region}.myshopline.com/admin/openapi/{api_version}/inventory_levels.json- OOS + low-stock + days-of-coverGET https://sl-open-{region}.myshopline.com/admin/openapi/{api_version}/refunds.json- Refund-rate spike detection + top refunders