API Reference
Authorization code
How to execute the authorization flow and get your access token
The authorization_code grant type is used by webapp applications to exchange an authorization code for an access token.
Unlike the other grant types, the authorization_code flow requires two steps:
  1. 1.
  2. 2.
    Exchange the authorization code with an access token
For security reasons, authorization codes expire after 10 minutes.

Getting an authorization code

To get an authorization code, send a GET request to the Commerce Layer dashboard /oauth/authorize endpoint with the application credentials and the response type as query parameters.
The response type must be code.

Request

GET https://dashboard.commercelayer.app/oauth/authorize

Arguments

Query parameter
Type
Required
Description
client_id
string
Required
Your application client_id
redirect_uri
string
Required
Your application redirect_uri
scope
string
Optional
Your access token scope (market, stock location)
response_type
string
Required
code

Example

Webapp

Request
Response
The following request tries to get an authorization code, putting in scope the market identified by the number "1234":
1
curl -g -X GET \
2
'https://dashboard.commercelayer.app/oauth/authorize?client_id=your-client-id&redirect_uri=https://yourdomain.com/redirect&scope=market:1234&response_type=code' \
3
-H 'Accept: application/json' \
4
-H 'Content-Type: application/json'
Copied!
On success, the API responds with a 200 OK status code.
If the client_id exists, the user is prompted to authorize the 3rd party application to access their data. After the authorization, the browser is redirected to the redirect_uri with a code parameter in the URL.

Getting an access token

To get an access token using the authorization_code grant type, send a POST request to your Commerce Layer subdomain /oauth/token endpoint, passing the application credentials and the code you got from the previous step in the request body.

Request

POST https://yourdomain.commercelayer.io/oauth/token

Arguments

Body parameters
Type
Required
Description
grant_type
string
Required
authorization_code
code
string
Required
The authorization code that you got from the redirect_uri query string
client_id
string
Required
Your application client_id
client_secret
string
Required
Your application client_secret
redirect_uri
string
Required
Your application redirect_uri
scope
string
Optional
Your access token scope (market)

Example

Webapp

Request
Response
The following request tries to get an access token for a webapp application, using the authorization_code grant type with the code you got from the previous step:
1
curl -g -X POST \
2
'https://yourdomain.commercelayer.io/oauth/token' \
3
-H 'Accept: application/json' \
4
-H 'Content-Type: application/json' \
5
-d '{
6
"grant_type": "authorization_code",
7
"code": "your-authorization-code",
8
"client_id": "your-client-id",
9
"client_secret": "your-client-secret",
10
"redirect_uri": "https://yourdomain.com/redirect"
11
}'
Copied!
On success, the API responds with a 200 OK status code, returning the requested access token and customer info, along with a refresh token:
1
{
2
"access_token": "your-access-token",
3
"token_type": "bearer",
4
"expires_in": 7200,
5
"refresh_token": "your-refresh-token",
6
"scope": "market:1234",
7
"created_at": 123456789,
8
"owner_id": "zxcVBnMASd",
9
"owner_type": "user"
10
}
Copied!
The returned scope is the same passed as a query parameter in the request you made to get your-authorization-code.
Last modified 1mo ago