Getting started
Search
K
Links

Authorization code

How to execute the authorization flow and get your access token
The authorization_code grant type is used by webapps to exchange an authorization code for an access token.
Unlike the other grant types, the authorization_code flow requires two steps:
  1. 1.
  2. 2.
    Exchange the authorization code with an access token
For security reasons, authorization codes expire after 10 minutes.

Getting an authorization code

To get an authorization code, send a GET request to the Commerce Layer dashboard /oauth/authorize endpoint with the API client credentials and the response type as query parameters.
The response type must be code.

Request

GET https://dashboard.commercelayer.io/oauth/authorize

Arguments

Query parameter
Type
Required
Description
client_id
string
Required
Your application's client_id.
redirect_uri
string
Required
Your application's redirect_uri.
scope
string
Optional
Your access token scope (market, stock location).
response_type
string
Required
code

Example

Webapp

Request
Response
The following request tries to get an authorization code, putting in scope the market identified by the number "1234":
curl -g -X GET \
'https://dashboard.commercelayer.io/oauth/authorize?client_id=your-client-id&redirect_uri=https://yourdomain.com/redirect&scope=market:1234&response_type=code' \
-H 'Accept: application/json' \
-H 'Content-Type: application/json'
On success, the API responds with a 200 OK status code.
If the client_id exists, the user is prompted to authorize the 3rd party application to access their data. After the authorization, the browser is redirected to the redirect_uri with a code parameter in the URL.

Getting an access token

To get an access token using the authorization_code grant type, send a POST request to your Commerce Layer subdomain /oauth/token endpoint, passing the API client credentials and the code you got from the previous step in the request body.

Request

POST https://yourdomain.commercelayer.io/oauth/token

Arguments

Body parameter
Type
Required
Description
grant_type
string
Required
authorization_code
code
string
Required
The authorization code that you got from the redirect_uri query string.
client_id
string
Required
Your application's client_id.
client_secret
string
Required
Your application's client_secret.
redirect_uri
string
Required
Your application's redirect_uri.
scope
string
Optional
Your access token scope (market).

Example

Webapp

Request
Response
The following request tries to get an access token for a webapp, using the authorization_code grant type with the code you got from the previous step:
curl -g -X POST \
'https://yourdomain.commercelayer.io/oauth/token' \
-H 'Accept: application/json' \
-H 'Content-Type: application/json' \
-d '{
"grant_type": "authorization_code",
"code": "your-authorization-code",
"client_id": "your-client-id",
"client_secret": "your-client-secret",
"redirect_uri": "https://yourdomain.com/redirect"
}'
On success, the API responds with a 200 OK status code, returning the requested access token and customer info, along with a refresh token:
{
"access_token": "your-access-token",
"token_type": "bearer",
"expires_in": 7200,
"refresh_token": "your-refresh-token",
"scope": "market:1234",
"created_at": 123456789,
"owner_id": "zxcVBnMASd",
"owner_type": "user"
}
The returned scope is the same passed as a query parameter in the request you made to get your-authorization-code.
Last modified 10mo ago