Commerce LayerPricingBlogSign up free
Search…
Introduction
Getting started
Authentication
Roles and permissions
Fetching resources
Including associations
Sparse fieldsets
Sorting results
Pagination
Filtering data
Creating resources
Updating resources
Deleting resources
Importing resources
External resources
Handling errors
Real-time webhooks
Callbacks security
Resources
Addresses
Adjustments
Adyen gateways
Adyen payments
Applications
Attachments
Authorizations
Avalara accounts
Billing info validation rules
Bing geocoders
Braintree gateways
Braintree payments
Bundles
Captures
Carrier accounts
Checkout com gateways
Checkout com payments
Coupon codes promotion rules
Coupons
Customer addresses
Customer groups
Customer password resets
Customer payment sources
Customer subscriptions
Customers
Delivery lead times
Event callbacks
External gateways
External payments
External promotions
External tax calculators
Fixed amount promotions
Free shipping promotions
Geocoders
Gift card recipients
Gift cards
Google geocoders
Imports
In stock subscriptions
Inventory models
Inventory return locations
Inventory stock locations
Line item options
Line items
Manual gateways
Manual tax calculators
Markets
Merchants
Order amount promotion rules
Order copies
Order subscriptions
Order validation rules
Orders
Organizations
Packages
Parcel line items
Parcels
Payment gateways
Payment methods
Paypal gateways
Paypal payments
Percentage discount promotions
Price lists
Prices
Promotion rules
Promotions
Refunds
Return line items
Returns
Shipments
Shipping categories
Shipping methods
Shipping zones
SKU list items
SKU list promotion rules
SKU lists
SKU options
SKUs
Stock items
Stock line items
Stock locations
Stock transfers
Stripe gateways
Stripe payments
Tax calculators
Tax categories
Tax rules
Taxjar accounts
Transactions
Voids
Webhooks
Wire transfers
Powered By GitBook
Roles and permissions
How to set specific permitted actions for each resource
Commerce Layer supports a granular access control system on a resource level. Each access token gets a specific set of permissions. The client and the authorization flow determine your permitted actions for each resource.

Sales channel

Sales channel applications support client_credentials, password and refresh_token grant types. Given their limited permissions, they can be safely used in client-side applications.

Client credentials

Sales channel applications that authenticate through client_credentials get the following permissions.
For security reasons sales channel applications can read resource lists only for skus, sku_options, prices, and bundles. Getting a list is not allowed for all the other resources. For example, a sales channel is authorized to get /api/orders/xYZkjABcde but not /api/orders endpoint.
​
Create
Read
Update
Delete
Restrictions
Addresses
✅
✅
✅
✅
Single resource only.
Bundles
​
✅
​
​
Bundles associated with the market in scope.
Customers
✅
​
​
​
​
Customer subscriptions
✅
✅
✅
✅
Single resource only.
Delivery lead times
​
✅
​
​
Delivery lead times associated with the shipping methods enabled for the market in scope.
Gift cards
✅
✅
✅
✅
If "draft" (single resource only).
Gift card recipients
✅
✅
✅
✅
Single resource only.
Orders
✅
✅
✅
​
Can be read if "draft", "pending" or "placed" and updated if "draft" or "pending" (single resource only).
Line items
✅
✅
✅
✅
Can be read if belonging to "draft", "pending" or "placed" orders and updated/deleted if belonging to "draft" or "pending" orders (single resource only).
Line item options
✅
✅
✅
✅
Can be read if belonging line items associated with "draft", "pending" or "placed" orders and updated/deleted if belonging to line items associated with "draft" or "pending" orders (single resource only).
Payment methods
​
✅
​
​
Enabled payment methods associated with the market in scope.
Payment sources
✅
✅
✅
✅
Can be read if belonging to "draft", "pending" or "placed" orders and updated/deleted if belonging to "draft" or "pending" orders (single resource only).
Prices
​
✅
​
​
Prices associated with the market price list.
Returns
✅
✅
✅
​
Can be created for orders associated with the market in scope and updated if in "draft" status (single resource only).
Return Line Items
✅
✅
​
​
Single resource only.
Shipments
​
✅
✅
​
Can be read if belonging to "draft", "pending" or "placed" orders and updated if belonging to "draft" or "pending" orders (single resource only).
Shipment line items
​
✅
​
​
Can be read if belonging to shipments associated with "draft", "pending" or "placed" orders (single resource only).
Shipping methods
​
✅
​
​
Enabled shipping methods associated with the market in scope.
SKUs
​
✅
​
​
SKUs with stock items in the market inventory model and a price in the market price list.
SKU options
​
✅
​
​
SKU options associated with the market in scope.
SKU lists
✅
✅
✅
✅
Single resource only.
SKU list items
✅
✅
✅
✅
Single resource only.
Stock items
​
✅
​
​
SKU items belonging to the stock locations associated with the market in scope.
Stock transfers
​
✅
​
​
Can be read if belonging to shipments associated with "draft", "pending" or "placed" orders (single resource only).

Password

Sales channel applications can authenticate a customer through the password flow. The access tokens that they get include the sum of the client permissions plus the ones below.
​
Create
Read
Update
Delete
Restrictions
Customers
​
✅
✅
✅
The customer must be the authenticated resource owner.
Customer addresses
✅
✅
✅
✅
The customer must be the authenticated resource owner.
Customer payment sources
​
✅
✅
✅
The customer must be the authenticated resource owner.
Customer subscriptions
✅
✅
✅
✅
The customer must be the authenticated resource owner.
Line items
✅
✅
✅
✅
The line items must belong to one of the customer's orders.
Line item options
✅
✅
✅
✅
The line item options must belong to one of the line items associated with one of the customer's orders.
Orders
✅
✅
✅
​
The customer must be the authenticated resource owner.
Order subscriptions
​
✅
​
​
The subscriptions must be associated with one of the customer's orders.
Parcels
✅
​
​
​
The parcels must belong to one of the customer's orders.
Shipments
​
✅
✅
​
The shipments must belong to one of the customer's orders.

Refresh token

An access token obtained through a refresh_token inherit the same set of permissions as the one that expired.

Integration

Integration applications support the client_credentials grant type. The access tokens that they get include the set of permissions of their role.

Webapp

Webapp applications support authorization_code and refresh_token grant types. They don't bring any grants to the access tokens, and get the set of permissions of to the authenticated user's role. Access tokens obtained through a refresh_token inherit the same set of permissions as the one that expired.

Other application types

Other application types (such as Zapier, Contentful, DatoCMS, etc.) have more straightforward authorization rules and get the right amount of permissions that are required by the relevant tool.
Commerce Layer Zapier app is currently private. Feel free to accept this invitation and start building your zaps!
Previous
Refresh token
Next
Fetching resources
Last modified 30d ago
Copy link
Contents
Sales channel
Integration
Webapp
Other application types