You are responsible for a public REST API that powers mobile ordering and internal admin workflows. The API exposes customer orders, payment status, and store configuration, and it is consumed by browser clients, mobile apps, and backend services. A recent review found inconsistent resource naming, ad hoc status codes, and unclear authentication boundaries between customer and admin endpoints.