# API credentials
To use Commerce Layer API you need to be [authorized](https://docs.commercelayer.io/core/authentication) in the first place. This means you need to get a valid access token. The permissions you're granted authenticating with that token are determined by the type of API client you used to get it. Three different types are currently available in order to get your credentials: **sales channel**, **integration**, and **webapp**. Which one to use depends on your specific use case.
{% hint style="info" %}
You can fetch the information about your current API credentials (i.e. the one you used to get your access token) by querying the [application](https://app.gitbook.com/s/RWJeylueWkzLadK710XZ/application) endpoint of the Core API. You can manage all the CRUD action on all your [API credentials](https://app.gitbook.com/s/xrdVVavnnBMHRCqrLp1y/api-reference/api_credentials) using the Provisioning API. API credentials management is also available via the admin Dashboard — [read this](#generating-api-credentials) to learn how to do it.
{% endhint %}
### Sales channel
**Sales channels** are used to build any customer touchpoint (e.g. your storefront with a fully-functional shopping cart and checkout flow).
Sales channels grant *non-confidential* (public) API credentials. They can authenticate by providing just a **client ID** and their [permissions](https://docs.commercelayer.io/core/roles-and-permissions#sales-channel) are restricted so that they can be safely used client-side and their tokens exposed to the public without any risks. For example, they can access only one order at a time (the one associated with the shopping cart you're about to checkout, identified by a not guessable, unique hashID) and respond with a `401 Unauthorized` error if you try to request a list of orders.
Sales channels require a [market in scope](https://docs.commercelayer.io/core/authentication#putting-a-market-in-scope) when requesting their access tokens. This way all the API call results are automatically filtered based on the specified scope. In particular:
* Only the **SKUs** that are *sellable* in that market are returned (to be sellable in a market an SKU must have a price in the market's price list and at least one stock item in one of the market's stock locations, regardless of its quantity).
* Only the **prices** associated with that market's price list are returned.
* The **stock** availability is calculated by checking only the stock locations associated with that market (e.g. only the stock items associated with that market's stock locations are returned).
{% hint style="info" %}
Using a sales channel is the most straightforward way to build your customer touchpoint. Anyway, if you want to have complete control over the grants brought to the access tokens, you can always use an [integration](#integration). Just make sure not to expose the secret on the client, by building a dedicated *backend for frontend* (BFF), or properly leveraging serverless functions.
{% endhint %}
### Integration
**Integrations** are used to develop backend integrations with any 3rd-party system.
Integrations provide *confidential* API credentials. They need a **client ID** and a **client secret** to authenticate and can have one of two [roles](https://docs.commercelayer.io/core/roles-and-permissions#integration):
* **Read-only** — to perform `GET` requests on any single resource or list of resources.
* **Admin** — to perform any CRUD (create, retrieve, update, or delete) action on any resource.
{% hint style="info" %}
[Enterprise](https://commercelayer.io/pricing) users can define **custom roles** for their integration API credentials, specifying custom permissions on CRUD actions at the single resource level so as to leverage a granular control, tailored to their needs.
{% endhint %}
### Webapp
**Webapps** are used to develop custom web apps or services for your users, extending Commerce Layer backend with any functionality that is not provided out of the box.
Webapps let you execute the OAuth 2.0 [authorization code](https://docs.commercelayer.io/core/authentication/authorization-code) grant flow to get an access token after a user authorizes an app. They don't come with their own [roles and permissions](https://docs.commercelayer.io/core/roles-and-permissions#webapp), since they get the set of permissions of the authenticated user.
## Generating API credentials
The Core API [application](https://app.gitbook.com/s/RWJeylueWkzLadK710XZ/application) endpoint is read-only, meaning that by using the API you can only [retrieve](https://app.gitbook.com/s/RWJeylueWkzLadK710XZ/application/retrieve) the information about the API credentials within the current scope. The full set of CRUD operations (create, update, and delete) on all your API credentials are available via the [Provisioning API](https://app.gitbook.com/s/xrdVVavnnBMHRCqrLp1y/api-reference/api_credentials) or via the admin Dashboard, as shown in the screenshots below.
Head over to the *API credentials* section by clicking on the related item under the *Developers* dropdown in the nav menu sidebar on the left of your dashboard. The list of your current available API credentials will be displayed. You can access each one individually to update or delete them. To create a new one, click on *+ New* on the top right of the list:
The following page is where you can select the kind of API credentials you want to create.
#### Sales channel
To create a sales channel, select the *Sales channel* card, give your new API credentials a meaningful name, and click on the *Create* button:
On successful creation, you will enter the details page, where you can find and copy to clipboard your API credentials (**client ID**, **base endpoint**, and allowed **scopes**):
{% hint style="info" %}
To **update** or **delete** your sales channel just click on the three dots `...` button at the top right corner and select the desired action from the dropdown.
{% endhint %}
#### Integration
To create an integration, select the *Integration* card, give your new API credentials a meaningful name, choose its role from the related dropdown, and click on the *Create* button:
On successful creation, you will enter the details page, where you can find and copy to clipboard your API credentials (**client ID**, **client secret**, and **base endpoint**):
{% hint style="info" %}
To **update** or **delete** your integration just click on the three dots `...` button at the top right corner and select the desired action from the dropdown.
{% endhint %}
#### Webapp
To create a webapp, select the *Webapp* card, give your new API credentials a meaningful name, insert the redirect URI (necessary for the [authorization code](https://docs.commercelayer.io/core/authentication/authorization-code) flow), and click on the *Create* button:
On successful creation, you will enter the details page, where you can find and copy to clipboard your API credentials (**client ID**, **client secret**, and **base endpoint**):
{% hint style="info" %}
To **update** or **delete** your webapp just click on the three dots `...` button at the top right corner and select the desired action from the dropdown.
{% endhint %}
