# Password

The `password` grant type is used by **sales channels** to exchange customer credentials for an access token (i.e. to get a "logged" access token).

{% hint style="info" %}
By [including a scope](https://docs.commercelayer.io/core/authentication/..#authorization-scopes) in the access token request, all the resources that you fetch are automatically filtered.
{% endhint %}

## Getting an access token

To get an access token using the `password` grant type, send a `POST` request to the `/oauth/token` endpoint, passing the API client credentials in the request body.

### Request

**POST** <https://auth.commercelayer.i&#x6F;**/oauth/token>\*\*

### Arguments

| Body parameter   | Type   | Required | Description                                       |
| ---------------- | ------ | -------- | ------------------------------------------------- |
| **`grant_type`** | String | Required | `password`                                        |
| **`username`**   | String | Required | The customer's email address.                     |
| **`password`**   | String | Required | The customer's password.                          |
| **`client_id`**  | String | Required | Your client ID (from your API credentials).       |
| **`scope`**      | String | Optional | Your access token scope (market, stock location). |

### Example

#### Sales channel

{% tabs %}
{% tab title="Request" %}
The following request tries to get an access token for a sales channel, using the `password` grant type for a specific user, putting in scope the market identified by the ID "xYZkjABcde":

<pre class="language-sh"><code class="lang-sh">curl -g -X POST \
  'https://auth.commercelayer.io/oauth/token' \
  -H 'Accept: application/json' \
  -H 'Content-Type: application/json' \
  -d '{
<strong>  "grant_type": "password",
</strong><strong>  "username": "john@example.com",
</strong><strong>  "password": "s3creT",
</strong><strong>  "client_id": "{{your_client_id}}",
</strong><strong>  "scope": "market:id:xYZkjABcde"
</strong>}'
</code></pre>

{% endtab %}

{% tab title="Response" %}
On success, the API responds with a `200 OK` status code, returning the requested access token and owner info, along with a [refresh token](https://docs.commercelayer.io/core/refresh-token#sales-channel):

<pre class="language-json"><code class="lang-json">{
<strong>    "access_token": "acC3sSt0K3Nwrt6kic7.abc4bnm5...",
</strong>    "token_type": "bearer",
    "expires_in": 14400,
<strong>    "refresh_token": "r3fResHt0k3nvbn7mnr9ert123",
</strong>    "scope": "market:id:xYZkjABcde",
    "created_at": 123456789,
<strong>    "owner_id": "zxcVBnMASd",
</strong><strong>    "owner_type": "customer"
</strong>}
</code></pre>

{% endtab %}
{% endtabs %}