How to get your access token, based on OAuth 2.0 grants

All API requests must be authenticated. To get authorized, you must include a valid access token in the Authorization header:

Authorization: Bearer your-access-token

Authorization grant flows

To get an access token, you need to execute an authorization flow by using a valid application as the client.

The authorization flow depends on the grant type as described in the table below:

Grant type

Sales channel



Client credentials


Refresh token

Authorization code

For security reasons, access tokens expire after 2 hours. Refresh tokens expire after 2 weeks.

Authorization scopes

For each of the above authorization flows you can restrict the scope to a specific market and/or stock location.

The access token scope is a string composed by "{{resource_name}}:{{resource_number}}", where resource_number is the number — not the ID — of the market or stock location you want to put in scope.

Putting a market in scope

By including a market scope in the access token request — market:1234 — all the resources (e.g. SKUs, prices, stock items) that you fetch are automatically filtered.

"grant_type": "authorization-grant",
"client_id": "your-client-id",
"scope": "market:1234"

Sales channel applications require a market in scope when requesting their access token to perform the permitted CRUD actions. If the market in scope is associated with a customer group, it becomes private and can be accessed only by the customers belonging to the group — in that case, to get your token you must use the password flow.

Putting a stock location in scope

By including a stock location scope in the access token request — stock_location:4567 — the stock is restricted to the SKUs available in that specific stock location.

"grant_type": "authorization-grant",
"client_id": "your-client-id",
"scope": "market:1234 stock_location:4567"

When putting a stock location in scope, adding the associated market in the access token request is mandatory. If the market scope is missing or the stock location doesn't belong to the market in scope the API responds with a 400 Bad Request error code.