Authorization code
How to execute the authorization flow and get your access token
The
authorization_code grant type is used by webapps to exchange an authorization code for an access token.Unlike the other grant types, the
authorization_code flow requires two steps:- 1.
- 2.
For security reasons, authorization codes expire after 10 minutes.
To get an authorization code, send a
GET request to the Commerce Layer dashboard /oauth/authorize endpoint with the API client credentials and the response type as query parameters.The response type must be
code.GET https://dashboard.commercelayer.io/oauth/authorize
Query parameter | Type | Required | Description |
|---|---|---|---|
client_id | string | Required | Your application's client_id. |
redirect_uri | string | Required | Your application's redirect_uri. |
scope | string | Optional | Your access token scope (market, stock location). |
response_type | string | Required | code |
Request
Response
The following request tries to get an authorization code, putting in scope the market identified by the number "1234":
curl -g -X GET \
'https://dashboard.commercelayer.io/oauth/authorize?client_id=your-client-id&redirect_uri=https://yourdomain.com/redirect&scope=market:1234&response_type=code' \
-H 'Accept: application/json' \
-H 'Content-Type: application/json'
On success, the API responds with a
200 OK status code.If the
client_id exists, the user is prompted to authorize the 3rd party application to access their data. After the authorization, the browser is redirected to the redirect_uri with a code parameter in the URL.To get an access token using the
authorization_code grant type, send a POST request to your Commerce Layer subdomain /oauth/token endpoint, passing the API client credentials and the code you got from the previous step in the request body.POST https://yourdomain.commercelayer.io/oauth/token
Body parameter | Type | Required | Description |
|---|---|---|---|
grant_type | string | Required | authorization_code |
code | string | Required | The authorization code that you got from the redirect_uri query string. |
client_id | string | Required | Your application's client_id. |
client_secret | string | Required | Your application's client_secret. |
redirect_uri | string | Required | Your application's redirect_uri. |
scope | string | Optional | Your access token scope (market). |
Request
Response
The following request tries to get an access token for a webapp, using the
authorization_code grant type with the code you got from the previous step:curl -g -X POST \
'https://yourdomain.commercelayer.io/oauth/token' \
-H 'Accept: application/json' \
-H 'Content-Type: application/json' \
-d '{
"grant_type": "authorization_code",
"code": "your-authorization-code",
"client_id": "your-client-id",
"client_secret": "your-client-secret",
"redirect_uri": "https://yourdomain.com/redirect"
}'
On success, the API responds with a
200 OK status code, returning the requested access token and customer info, along with a refresh token:{
"access_token": "your-access-token",
"token_type": "bearer",
"expires_in": 7200,
"refresh_token": "your-refresh-token",
"scope": "market:1234",
"created_at": 123456789,
"owner_id": "zxcVBnMASd",
"owner_type": "user"
}
The returned
scope is the same passed as a query parameter in the request you made to get your-authorization-code.Last modified 10mo ago