All API requests must be authenticated. To get authorized, you must include a valid access token in the Authorization header:
Authorization: Bearer your-access-token
To get an access token, you need to execute an authorization flow by using a valid application as the client.
The authorization flow depends on the grant type as described in the table below:
Grant type | Sales channel | Integration | Webapp |
Client credentials | ✅ | ✅ | |
Password | ✅ | | |
Refresh token | ✅ | | ✅ |
Authorization code | | | ✅ |
For security reasons, access tokens expire after 2 hours. Refresh tokens expire after 2 weeks.