Commerce LayerPricingBlogSign up free
Search…
Introduction
Getting started
Authentication
Client credentials
Password
Authorization code
Refresh token
Roles and permissions
Fetching resources
Including associations
Sparse fieldsets
Sorting results
Pagination
Filtering data
Creating resources
Updating resources
Deleting resources
Importing resources
External resources
Handling errors
Real-time webhooks
Callbacks security
Resources
Addresses
Adjustments
Adyen gateways
Adyen payments
Applications
Attachments
Authorizations
Avalara accounts
Billing info validation rules
Bing geocoders
Braintree gateways
Braintree payments
Bundles
Captures
Carrier accounts
Checkout com gateways
Checkout com payments
Coupon codes promotion rules
Coupons
Customer addresses
Customer groups
Customer password resets
Customer payment sources
Customer subscriptions
Customers
Delivery lead times
Event callbacks
External gateways
External payments
External promotions
External tax calculators
Fixed amount promotions
Free shipping promotions
Geocoders
Gift card recipients
Gift cards
Google geocoders
Imports
In stock subscriptions
Inventory models
Inventory return locations
Inventory stock locations
Line item options
Line items
Manual gateways
Manual tax calculators
Markets
Merchants
Order amount promotion rules
Order copies
Order subscriptions
Order validation rules
Orders
Organizations
Packages
Parcel line items
Parcels
Payment gateways
Payment methods
Paypal gateways
Paypal payments
Percentage discount promotions
Price lists
Prices
Promotion rules
Promotions
Refunds
Return line items
Returns
Shipments
Shipping categories
Shipping methods
Shipping zones
SKU list items
SKU list promotion rules
SKU lists
SKU options
SKUs
Stock items
Stock line items
Stock locations
Stock transfers
Stripe gateways
Stripe payments
Tax calculators
Tax categories
Tax rules
Taxjar accounts
Transactions
Voids
Webhooks
Wire transfers
Powered By GitBook
Authentication
How to get your access token, based on OAuth 2.0 grants
All API requests must be authenticated. To get authorized, you must include a valid access token in the Authorization header:
1
Authorization: Bearer your-access-token
Copied!

Authorization grant flows

To get an access token, you need to execute an authorization flow by using a valid application as the client.
The authorization flow depends on the grant type as described in the table below:
Grant type
Sales channel
Integration
Webapp
Client credentials
✅
✅
​
Password
✅
​
​
Refresh token
✅
​
✅
Authorization code
​
​
✅
For security reasons, access tokens expire after 2 hours. Refresh tokens expire after 2 weeks.

Authorization scopes

For each of the above authorization flows you can restrict the scope to a specific market and/or stock location.
The access token scope is a string composed by "{{resource_name}}:{{resource_number}}", where resource_number is the number — not the ID — of the market or stock location you want to put in scope.

Putting a market in scope

By including a market scope in the access token request — market:1234 — all the resources (e.g. SKUs, prices, stock items) that you fetch are automatically filtered.
1
{
2
"grant_type": "authorization-grant",
3
"client_id": "your-client-id",
4
...,
5
"scope": "market:1234"
6
}
Copied!
Sales channel applications require a market in scope when requesting their access token to perform the permitted CRUD actions. If the market in scope is associated with a customer group, it becomes private and can be accessed only by the customers belonging to the group — in that case, to get your token you must use the password flow.

Putting a stock location in scope

By including a stock location scope in the access token request — stock_location:4567 — the stock is restricted to the SKUs available in that specific stock location.
1
{
2
"grant_type": "authorization-grant",
3
"client_id": "your-client-id",
4
...,
5
"scope": "market:1234 stock_location:4567"
6
}
Copied!
When putting a stock location in scope, adding the associated market in the access token request is mandatory. If the market scope is missing or the stock location doesn't belong to the market in scope the API responds with a 400 Bad Request error code.
Previous
Getting started
Next
Client credentials
Last modified 6mo ago
Copy link
Contents
Authorization grant flows
Authorization scopes