Client credentials

How to execute the authorization flow and get your access token

Sales channels use the client_credentials grant type to get a "guest" access token. Integrations use the client_credentials grant type to get an access token for themselves.

By including a scope in the access token request, all the resources that you fetch are automatically filtered.

Getting an access token

To get an access token using the client_credentials grant type, send a POST request to the /oauth/token endpoint, passing the API client credentials in the request body.

Request

POST https://auth.commercelayer.io/oauth/token

Arguments

Body parameter Type Required Description

Body parameter	Type	Required	Description
`grant_type`	String	Required	`client_credentials`
`client_id`	String	Required	The client ID (from you API credentials).
`client_secret`	String	Optional	Your client secret (required for confidential API credentials).
`scope`	String	Optional	Your access token scope (market, stock location).

grant_type

String

Required

client_credentials

client_id

String

Required

The client ID (from you API credentials).

client_secret

String

Optional

Your client secret (required for confidential API credentials).

scope

String

Optional

Your access token scope (market, stock location).

Sales channels require a market in scope when requesting their access token to perform the permitted CRUD actions. On the other hand, they don't require the client_secret argument when using the client_credentials grant type. That lets you use them safely client-side.

Examples

Sales channel

The following request tries to get an access token for a sales channel, using the client_credentials grant type and putting in scope the market identified by the ID "xYZkjABcde":

curl -g -X POST \
  'https://auth.commercelayer.io/oauth/token' \
  -H 'Accept: application/json' \
  -H 'Content-Type: application/json' \
  -d '{
  "grant_type": "client_credentials",
  "client_id": "{{your_client_id}}",
  "scope": "market:id:xYZkjABcde"
}'

On success, the API responds with a 200 OK status code, returning the requested access token:

{
  "access_token": "acC3sSt0K3Nwrt6kic7.abc4bnm5...",
  "token_type": "bearer",
  "expires_in": 14400,
  "scope": "market:id:xYZkjABcde",
  "created_at": 123456789
}

Integration

The following request tries to get an access token for an integration, using the client_credentials grant type:

curl -g -X POST \
  'https://auth.commercelayer.io/oauth/token' \
  -H 'Accept: application/json' \
  -H 'Content-Type: application/json' \
  -d '{
  "grant_type": "client_credentials",
  "client_id": "{{your_client_id}}",
  "client_secret": "{{your_client_secret}}"
}'

On success, the API responds with a 200 OK status code, returning the requested access token:

{
    "access_token": "acC3sSt0K3Nwrt6kic7.abc4bnm5...",
    "token_type": "bearer",
    "expires_in": 7200,
    "scope": "market:all",
    "created_at": 123456789
}

PreviousAuthentication NextPassword

Last updated 6 months ago