Overview
What is ShipStream Data Border and why does it exist?
Overview
ShipStream Data Border is a secure API gateway that sits between Amazon's Selling Partner API (SP-API) and your Warehouse Management System (WMS). It acts as a "data border" over which sensitive Amazon data cannot pass—or may only pass under controlled circumstances.
The Problem
When you integrate with Amazon's marketplace to fulfill orders, your WMS needs:
- Order details - Items, quantities, shipping service levels
- Customer addresses - To generate shipping labels and route packages
- Tracking updates - To confirm shipments and update Amazon
But Amazon has strict requirements for how Personally Identifiable Information (PII) is handled:
- PII access must be logged and auditable
- Data must be tagged with its origin source
- Systems must detect and prevent suspicious access patterns
- Customer data should be minimized and protected
Building all of this into your WMS is complex, error-prone, and requires ongoing compliance work.
The Solution
Data Border handles the complexity so your WMS doesn't have to.
graph TB
subgraph "Your Infrastructure"
WMS[WMS Application]
DeviceHub[Device Hub / Printers]
end
subgraph "ShipStream Data Border"
ADB[Data Border Gateway]
Storage[(Secure Storage)]
Logs[(Audit Logs)]
end
subgraph "External"
Amazon[Amazon SP-API]
Carrier[Carrier APIs]
end
WMS -->|"Scrubbed Data"| ADB
ADB -->|"Real PII"| Amazon
ADB -->|"Real PII"| Carrier
ADB -->|"Labels with PII"| Storage
ADB -->|"Labels"| DeviceHub
ADB -->|"All PII Access"| Logs
Your WMS communicates with Data Border using placeholders instead of real customer data. Data Border:
- Fetches the real PII from Amazon when needed
- Injects it into carrier requests to generate labels
- Stores original labels with PII securely
- Returns scrubbed responses to your WMS
- Sends labels directly to printers via Device Hub
Key Benefits
Simplified Compliance
- Automatic audit logging - Every PII access is recorded with order ID, timestamp, IP, and context
- Data attribution - All data tagged with
sp-apiorigin for Amazon compliance - Suspicious activity detection - Alerts on unusual access patterns (e.g., accessing shipped orders)
- Rate limiting - Built-in throttling prevents abuse
Reduced Risk
- PII minimization - Your WMS never sees customer addresses (unless explicitly requested)
- Encrypted storage - Amazon tokens encrypted with AES-256-GCM
- No backups needed - In a disaster, just redeploy and re-authenticate sellers
- Isolated secrets - Each seller's tokens encrypted with a unique secret
Seamless Integration
- Placeholder-based API - Simple request format with
{{ship_to_name}},{{ship_to_address1}}, etc. - Multiple carrier support - EasyPost, ShipStation, Shippo, UPS, FedEx, USPS, DHL
- Device Hub printing - Labels sent directly to printers, bypassing your WMS
- OAuth flow handling - Seller authentication managed end-to-end
Architecture
Data Border is designed as a stateless gateway with minimal data persistence:
| Component | Technology | Purpose |
|---|---|---|
| Runtime | Node.js 22+ | High-performance TypeScript execution |
| Framework | Hono | Lightweight HTTP routing |
| Database | SQLite | Tenant, seller, and audit data |
| Storage | Tigris (S3-compatible) | Label storage and backups |
| Security | Arcjet WAF | Rate limiting and attack protection |
| Deployment | Fly.io | Secure, isolated micro-VMs |
What's Stored?
Data Border stores the minimum data required:
- Tenant configuration - WMS name, redirect URLs, Device Hub settings
- Seller records - Amazon seller IDs, encrypted refresh tokens
- Audit logs - PII access records for compliance
- Labels - Unredacted shipping labels (for reprinting)
What's NOT stored:
- Customer PII (fetched on-demand from Amazon)
- Amazon access tokens (generated per-request)
- Your WMS credentials or secrets