I have a webpage where users can add products from 3rd party commerce sites (amazon, shopify, magento, etc) from my page. users select multiple products then click checkout, then the page redirects them to the checkout page in the 3rd party commerce site.

this works fine with Amazon as they have a server-side API that we proxy. Input: a bunch of products, output: a checkout URL. pretty simple and it works pretty well.

we're stuck with magento, however.

• There is no public API for adding a product to a user's remote cart
• The undocumented API only supports adding a single product at a time, so supporting multiple products requires multiple API calls (which is slow)
• Most magento sites do not support HTTPS and/or redirect to HTTP all the time, and our site uses HTTPS. Thus, it doesn't really work.
• We run into CORS issues when we try AJAX requests - we're currently hacking it with iframes.
• The first request gives us a "no cookie" error page instead of actually adding it to the cart.

Is there a way to solve this? Does magento support CORS requests? What is magento's support with HTTPS?

I see http://community.magento.com/t5/Programming-Questions/API-Redirecting-user-to-magento-instance-to-view-their-cart/m-p/9113#M2029 which requires our client to install an extension, but that may not be acceptable

Although there's no API functionality in Magento supporting this out of the box, it is possible to extend Magento to support this by writing a small API module, to be installed in Magento for this to work. By creating an API extension, you can make the rules, accepting - for instance - multiple products to be added to basket.

Magento's documentation has always been quite poor, and normally developers like myself have to debug and step through the code, to understand how a particular feature is actually working. Once you become skilled enough, you start seeing a "bigger picture", which allows you to "predict" Magento behaviour and often allows you to skip step-by-step debugging investigation.

I would suggest that you get help from a professional developer, to build this (I would say at least 2-3 years of back-end development experience), and get a certified Magento developer to help you: amateurs can probably make a working solution for less, but you'd pay the consequences in a long term, not to mention portability of your module across Magento editions and versions, and security-related issues (XSS, SQL injection etc).

Magento supports HTTPS (really, that is up to the site's sysadmin, to configure the web server properly), and has a little of CORS support (by default, "same-origin" policy is implemented). Changing CORS would be a development task as well, even though I don't really see how this would be related to either REST or SOAP API.

Also, please note that Magento heavily relies on cookies for the session support (and basket is stored in database against a customer session).

This is all I can really say, that little information about your actual problem provided.

Should you need more info, I'd be happy to help, but I would need more details, in order to figure out the best solution.

Maybe you can try it with query string like this?

<?php

$formKey = Mage::getSingleton('core/session')->getFormKey();?>

<form action="/checkout/cart/add/product/<?php echo $productid; ?>" method="post">
    <input type="hidden" name="form_key" value="<?php echo $formKey; ?>" />

    <input type="text" name="qty"> QTY

    <input type="submit" value="Add to basket" />
</form>