Getting started
Authorization code
How to execute the authorization flow and get your access token
The
authorization_code grant type is used by webapp applications to exchange an authorization code for an access token.Unlike the other grant types, the
authorization_code flow requires two steps:- 1.
- 2.
For security reasons, authorization codes expire after 10 minutes.
Getting an authorization code
To get an authorization code, send a
GET request to the Commerce Layer dashboard /oauth/authorize endpoint with the application credentials and the response type as query parameters.The response type must be
code.Request
GET https://dashboard.commercelayer.io/oauth/authorize
Arguments
Query parameter
Type
Required
Description
client_id
stringRequired
Your application
client_idredirect_uri
stringRequired
Your application
redirect_uriscope
stringOptional
Your access token scope (market, stock location)
response_type
stringRequired
codeExample
Webapp
Request
Response
The following request tries to get an authorization code, putting in scope the market identified by the number "1234":
1
curl -g -X GET \
2
'https://dashboard.commercelayer.io/oauth/authorize?client_id=your-client-id&redirect_uri=https://yourdomain.com/redirect&scope=market:1234&response_type=code' \
3
-H 'Accept: application/json' \
4
-H 'Content-Type: application/json'
Copied!
On success, the API responds with a
200 OK status code.If the
client_id exists, the user is prompted to authorize the 3rd party application to access their data. After the authorization, the browser is redirected to the redirect_uri with a code parameter in the URL.Getting an access token
To get an access token using the
authorization_code grant type, send a POST request to your Commerce Layer subdomain /oauth/token endpoint, passing the application credentials and the code you got from the previous step in the request body.Request
POST https://yourdomain.commercelayer.io/oauth/token
Arguments
Body parameters
Type
Required
Description
grant_type
stringRequired
authorization_codecode
stringRequired
The authorization code that you got from the
redirect_uri query stringclient_id
stringRequired
Your application
client_idclient_secret
stringRequired
Your application
client_secretredirect_uri
stringRequired
Your application
redirect_uriscope
stringOptional
Your access token scope (market)
Example
Webapp
Request
Response
The following request tries to get an access token for a webapp application, using the
authorization_code grant type with the code you got from the previous step:1
curl -g -X POST \
2
'https://yourdomain.commercelayer.io/oauth/token' \
3
-H 'Accept: application/json' \
4
-H 'Content-Type: application/json' \
5
-d '{
6
"grant_type": "authorization_code",
7
"code": "your-authorization-code",
8
"client_id": "your-client-id",
9
"client_secret": "your-client-secret",
10
"redirect_uri": "https://yourdomain.com/redirect"
11
}'
Copied!
On success, the API responds with a
200 OK status code, returning the requested access token and customer info, along with a refresh token:1
{
2
"access_token": "your-access-token",
3
"token_type": "bearer",
4
"expires_in": 7200,
5
"refresh_token": "your-refresh-token",
6
"scope": "market:1234",
7
"created_at": 123456789,
8
"owner_id": "zxcVBnMASd",
9
"owner_type": "user"
10
}
Copied!
The returned
scope is the same passed as a query parameter in the request you made to get your-authorization-code.Last modified 5mo ago