# Roles and permissions Commerce Layer supports a granular access control system on a resource level. Each access token gets a specific set of permissions. The client and the [authorization flow](https://docs.commercelayer.io/core/authentication#authorization-flows) determine your permitted actions for each resource. {% content-ref url="authentication" %} [authentication](https://docs.commercelayer.io/core/authentication) {% endcontent-ref %} ### Sales channel [Sales channels](https://docs.commercelayer.io/core/api-credentials#sales-channel) support `client_credentials`, `password` and `refresh_token` [grant types](https://docs.commercelayer.io/core/authentication#authorization-grant-flows). Given their limited permissions, they can be safely used in client-side applications. #### Client credentials Sales channels that authenticate through `client_credentials` get the following permissions. {% hint style="danger" %} For security reasons **sales channels** can read resource lists only for a subset of resources (e.g. SKUs, prices, bundles, etc. — *Show+List* in the table below). Getting a list is not allowed for all the other resources (only *Show* in the table below). For example, a sales channel is authorized to perform a `GET` request to the `/api/orders/xYZkjABcde` but not to the `/api/orders` endpoint. {% endhint %}

Resource	Create	Read	Update	Delete	Restrictions
Addresses	true	Show	true	true	Single resource only.
Application	false	Show	false	false	The kind of API credentials you're currently using.
Bundles	false	List, Show	false	false	Bundles associated with the market in scope, or (if no market is in scope) with the currency code of the price list in scope.
Customers	true		false	false
Customer password resets	false		true	false
Customer subscriptions	true	Show	true	true	Single resource only.
Delivery lead times	false	List, Show	false	false	Delivery lead times associated with the shipping methods accessible by scope.
Geocoders	false	Show	false	false	Single resource only.
Gift cards	true	Show	true	true	If draft (single resource only).
Gift card recipients	true	Show	true	true	Single resource only.
In-stock subscriptions	true	Show	true	true	In-stock subscriptions associated with the market in scope (single resource only).
Line items	true	Show	true	true	Can be read if belonging to draft, pending or placed orders and updated/deleted if belonging to draft or pending orders (single resource only).
Line item options	true	Show	true	true	Can be read if belonging line items associated with draft, pending or placed orders and updated/deleted if belonging to line items associated with draft or pending orders (single resource only).
Notifications	false	List, Show	false	false
Orders	true	Show	true	false	Can be read if draft, pending or placed, as long as marked as `guest`. Can be updated if draft or pending (single resource only).
Organization	false	Show	false	false	Your current organization.
Payment methods	false	List, Show	false	false	Enabled payment methods associated with the market in scope, or (if no market is in scope) with the currency code of the price list in scope.
Payment sources	true	Show	true	true	Can be read if belonging to draft, pending or placed orders and updated/deleted if belonging to draft or pending orders (single resource only).
Prices	false	List, Show	false	false	Prices associated with the market price list.
Price tiers	false	List, Show	false	false	Price tiers associated with the prices accessible by scope.
Promotions	false	List, Show	false	false	Active promotions associated with the market in scope, or (if no market is in scope) with the currency code of the price list in scope, plus all promotions that aren't associated with any market and currency code.
Promotion rules	false	Show	false	false	Promotion rules associated with the promotions accessible by scope (single resource only).
Reserved stocks	false	List, Show	false	false	Reserved stocks belonging to the stock items of the stock locations associated with the market in scope.
Shipments	false	Show	true	false	Can be read if belonging to draft, pending or placed orders and updated if belonging to draft or pending orders (single resource only).
Stock line items	false	Show	false	false	Can be read if belonging to shipments associated with draft, pending, editing or placed orders (single resource only).
Shipping methods	false	List, Show	false	false	Enabled shipping methods associated with the market in scope, or (if no market is in scope) with the currency code of the price list in scope. If stock location is specified, it's matched with the one in scope.
Shipping method tiers	false	List, Show	false	false	Shipping method tiers associated with the shipping methods accessible by scope.
SKUs	false	List, Show	false	false	SKUs with stock items in the market inventory model (unless not tracked), a price in the market price list (unless external prices allowed).
SKU options	false	List, Show	false	false	SKU options associated with the market in scope, or (if no market is in scope) with the currency code of the price list in scope.
SKU lists	false	Show	false	false	Single resource only.
SKU list items	false	Show	false	false	Single resource only.
Stock items	false	List, Show	false	false	SKU items belonging to the stock locations associated with the market in scope.
Stock transfers	false	Show	false	false	Can be read if belonging to shipments associated with draft, pending, editing or placed orders (single resource only).
Subscription models	false	List, Show	false	false	Subscription models associated with the market in scope.
Tags	false	Show	false	false	Allowed for specific resources only.

#### Password Sales channels can authenticate a customer through the `password` flow. The access tokens that they get include the sum of the [client credentials permissions](#client-credentials) plus the ones below.

Resource	Create	Read	Update	Delete	Restrictions
Customers	false	true	true	true	The customer must be the authenticated resource owner.
Customer addresses	true	true	true	true	The customer must be the authenticated resource owner.
Customer payment sources	false	true	true	true	The customer must be the authenticated resource owner.
Customer subscriptions	true	true	true	true	The customer must be the authenticated resource owner.
Line items	true	true	true	true	The line items must belong to one of the customer's orders.
Line item options	true	true	true	true	The line item options must belong to one of the line items associated with one of the customer's orders.
Orders	true	true	true	true	Can be deleted only if in `editing` status. The customer must be the authenticated resource owner.
Order subscriptions	true	true	true	false	The subscriptions must be associated with one of the customer's orders.
Order subscription items	true	true	true	false	The subscriptions items must be associated with one of the customer's subscriptions.
Parcels	false	true	false	false	The parcels must belong to one of the customer's orders.
Parcel line items	false	true	false	false	The parcel line items must belong to one of the parcels associated with one of the customer's orders.
Returns	true	true	true	false	Can be created for one of the customer's order and updated if in draft status.
Return line items	true	true	false	false	The return line items must belong to one of the returns associated with one of customer's order.
Shipments	false	true	true	false	The shipments must belong to one of the customer's orders.
SKU lists	true	true	true	true	The customer must be the authenticated resource owner.
SKU list items	true	true	true	true	The customer must be the authenticated owner of the associated SKU list.

{% hint style="warning" %} Since customer tokens extend sales channels abilities, to get a list of resources belonging to a customer for those resources that [sales channels](#sales-channel) cannot list you need to fetch them [as relationships](https://docs.commercelayer.io/core/fetching-relationships#fetching-a-list-of-related-resources-1-n-relationship) via the `api/customers` endpoint. For example, you can get all the orders belonging to a customer by querying with a customer token the endpoint `api/customers/xYZkjABcde/orders`, where `xYZkjABcde` is the ID of the customer for which the token was issued. {% endhint %} #### Refresh token An access token obtained through a `refresh_token` inherit the same set of permissions as the one that expired. ### Integration [Integrations](https://docs.commercelayer.io/core/api-credentials#integration) support the `client_credentials` grant type. The access tokens that they get include the set of permissions of their role. {% hint style="info" %} With very few exceptions, the [Core resources](https://app.gitbook.com/o/-Lfu_B3DKew-kvoEWzTk/s/RWJeylueWkzLadK710XZ/) not listed in one of the tables above are likely manageable using **integration** API credentials only. {% endhint %} ### Webapp [Webapps](https://docs.commercelayer.io/core/api-credentials#webapp) support `authorization_code` and `refresh_token` grant types. They don't bring any grants to the access tokens and get the set of permissions of the authenticated user's role. Access tokens obtained through a `refresh_token` inherit the same set of permissions as the one that expired.