Sign up for free
Search…
API Reference
Introduction
Getting started
Authentication
Client credentials
Password
Authorization code
Refresh token
Roles and permissions
Fetching resources
Including associations
Sparse fieldsets
Sorting results
Pagination
Filtering data
Creating resources
Updating resources
Deleting resources
Importing resources
External resources
Handling errors
Real-time webhooks
Callbacks security
Resources
Addresses
Adjustments
Adyen gateways
Adyen payments
Applications
Attachments
Authorizations
Avalara accounts
Billing info validation rules
Bing geocoders
Braintree gateways
Braintree payments
Bundles
Captures
Carrier accounts
Checkout com gateways
Checkout com payments
Coupon codes promotion rules
Coupon recipients
Coupons
Customer addresses
Customer groups
Customer password resets
Customer payment sources
Customer subscriptions
Customers
Delivery lead times
Event callbacks
External gateways
External payments
External promotions
External tax calculators
Fixed amount promotions
Fixed price promotions
Free gift promotions
Free shipping promotions
Geocoders
Gift card recipients
Gift cards
Google geocoders
Imports
In stock subscriptions
Inventory models
Inventory return locations
Inventory stock locations
Line item options
Line items
Manual gateways
Manual tax calculators
Markets
Merchants
Order amount promotion rules
Order copies
Order subscriptions
Order validation rules
Orders
Organizations
Packages
Parcel line items
Parcels
Payment gateways
Payment methods
Paypal gateways
Paypal payments
Percentage discount promotions
Price lists
Prices
Promotion rules
Promotions
Refunds
Return line items
Returns
Shipments
Shipping categories
Shipping methods
Shipping zones
SKU list items
SKU list promotion rules
SKU lists
SKU options
SKUs
Stock items
Stock line items
Stock locations
Stock transfers
Stripe gateways
Stripe payments
Tax calculators
Tax categories
Tax rules
Taxjar accounts
Transactions
Voids
Webhooks
Wire transfers
Authorization code
How to execute the authorization flow and get your access token
The authorization_code grant type is used by webapp applications to exchange an authorization code for an access token.
Unlike the other grant types, the authorization_code flow requires two steps:
  1. 1.
    Get an authorization code​
  2. 2.
    Exchange the authorization code with an access token​
For security reasons, authorization codes expire after 10 minutes.

Getting an authorization code

To get an authorization code, send a GET request to the Commerce Layer dashboard /oauth/authorize endpoint with the application credentials and the response type as query parameters.
The response type must be code.

Request

GET https://dashboard.commercelayer.app/oauth/authorize

Arguments

Query parameter
Type
Required
Description
client_id
string
Required
Your application client_id
redirect_uri
string
Required
Your application redirect_uri
scope
string
Optional
Your access token scope (market, stock location)
response_type
string
Required
code

Example

Webapp

Request
Response
The following request tries to get an authorization code, putting in scope the market identified by the number "1234":
1
curl -g -X GET \
2
'https://dashboard.commercelayer.app/oauth/authorize?client_id=your-client-id&redirect_uri=https://yourdomain.com/redirect&scope=market:1234&response_type=code' \
3
-H 'Accept: application/json' \
4
-H 'Content-Type: application/json'
Copied!
On success, the API responds with a 200 OK status code.
If the client_id exists, the user is prompted to authorize the 3rd party application to access their data. After the authorization, the browser is redirected to the redirect_uri with a code parameter in the URL.

Getting an access token

To get an access token using the authorization_code grant type, send a POST request to your Commerce Layer subdomain /oauth/token endpoint, passing the application credentials and the code you got from the previous step in the request body.

Request

POST https://yourdomain.commercelayer.io/oauth/token

Arguments

Body parameters
Type
Required
Description
grant_type
string
Required
authorization_code
code
string
Required
The authorization code that you got from the redirect_uri query string
client_id
string
Required
Your application client_id
client_secret
string
Required
Your application client_secret
redirect_uri
string
Required
Your application redirect_uri
scope
string
Optional
Your access token scope (market)

Example

Webapp

Request
Response
The following request tries to get an access token for a webapp application, using the authorization_code grant type with the code you got from the previous step:
1
curl -g -X POST \
2
'https://yourdomain.commercelayer.io/oauth/token' \
3
-H 'Accept: application/json' \
4
-H 'Content-Type: application/json' \
5
-d '{
6
"grant_type": "authorization_code",
7
"code": "your-authorization-code",
8
"client_id": "your-client-id",
9
"client_secret": "your-client-secret",
10
"redirect_uri": "https://yourdomain.com/redirect"
11
}'
Copied!
On success, the API responds with a 200 OK status code, returning the requested access token and customer info, along with a refresh token:
1
{
2
"access_token": "your-access-token",
3
"token_type": "bearer",
4
"expires_in": 7200,
5
"refresh_token": "your-refresh-token",
6
"scope": "market:1234",
7
"created_at": 123456789,
8
"owner_id": "zxcVBnMASd",
9
"owner_type": "user"
10
}
Copied!
The returned scope is the same passed as a query parameter in the request you made to get your-authorization-code.
Previous
Password
Next
Refresh token
Last modified 1mo ago
Copy link
Contents
Getting an authorization code
Request
Arguments
Example
Getting an access token
Request
Arguments
Example