Client credentials
How to execute the authorization flow and get your access token
Sales channels use the
client_credentials
grant type to get a "guest" access token.Integrations use the
client_credentials
grant type to get an access token for themselves.By including a scope in the access token request, all the resources that you fetch are automatically filtered.
To get an access token using the
client_credentials
grant type, send a POST
request to the /oauth/token
endpoint, passing the API client credentials in the request body.POST https://yourdomain.commercelayer.io/oauth/token
Body parameter | Type | Required | Description |
---|---|---|---|
grant_type | string | Required | client_credentials |
client_id | string | Required | Your application's client_id . |
client_secret | string | Optional | Your application's client_secret . |
scope | string | Optional | Your access token scope (market, stock location). |
Sales channels require a market in
scope
when requesting their access token to perform the permitted CRUD actions. On the other hand, they don't require the client_secret
argument. That lets you use them safely client-side.Request
Response
The following request tries to get an access token for a sales channel, using the
client_credentials
grant type and putting in scope the market identified by the number "1234":curl -g -X POST \
'https://yourdomain.commercelayer.io/oauth/token' \
-H 'Accept: application/json' \
-H 'Content-Type: application/json' \
-d '{
"grant_type": "client_credentials",
"client_id": "your-client-id",
"scope": "market:1234"
}'
On success, the API responds with a
200 OK
status code, returning the requested access token:{
"access_token": "your-access-token",
"token_type": "bearer",
"expires_in": 7200,
"scope": "market:1234",
"created_at": 123456789
}
Request
Response
The following request tries to get an access token for an integration, using the
client_credentials
grant type:curl -g -X POST \
'https://yourdomain.commercelayer.io/oauth/token' \
-H 'Accept: application/json' \
-H 'Content-Type: application/json' \
-d '{
"grant_type": "client_credentials",
"client_id": "your-client-id",
"client_secret": "your-client-secret"
}'
On success, the API responds with a
200 OK
status code, returning the requested access token:{
"access_token": "your-access-token",
"token_type": "bearer",
"expires_in": 7200,
"scope": "market:all",
"created_at": 123456789
}
Last modified 10mo ago