Introducing our brand new Rules Engine —
Read the docs
LogoLogo
Core APIOther APIsChangelog
Getting started
Getting started
  • Welcome to Commerce Layer
    • Guided setup
    • Manual configuration
  • API specification
  • API credentials
  • Authentication
    • Client credentials
    • Password
    • Authorization code
    • Refresh token
    • JWT bearer
    • Revoking a token
  • Roles and permissions
  • Fetching resources
  • Fetching relationships
  • Including associations
  • Sparse fieldsets
  • Sorting results
  • Pagination
  • Filtering data
  • Creating resources
  • Updating resources
  • Tagging resources
  • Deleting resources
  • Importing resources
  • Exporting resources
  • Cleaning up resources
  • External resources
    • External order validation
    • External prices
    • External shipping costs
    • External payment gateways
    • External promotions
    • External tax calculators
  • Rate limits
  • Handling errors
  • Real-time webhooks
  • Callbacks security
On this page
  • Getting an access token
  • Request
  • Arguments
  • Example
  1. Authentication

Password

How to execute the authorization flow and get your access token

PreviousClient credentialsNextAuthorization code

Last updated 1 year ago

The password grant type is used by sales channels to exchange customer credentials for an access token (i.e. to get a "logged" access token).

By in the access token request, all the resources that you fetch are automatically filtered.

Getting an access token

To get an access token using the password grant type, send a POST request to the /oauth/token endpoint, passing the API client credentials in the request body.

Request

POST https://auth.commercelayer.io/oauth/token

Arguments

Body parameter
Type
Required
Description

grant_type

String

Required

password

username

String

Required

The customer's email address.

password

String

Required

The customer's password.

client_id

String

Required

Your client ID (from your API credentials).

scope

String

Optional

Your access token scope (market, stock location).

Example

Sales channel

The following request tries to get an access token for a sales channel, using the password grant type for a specific user, putting in scope the market identified by the ID "xYZkjABcde":

curl -g -X POST \
  'https://auth.commercelayer.io/oauth/token' \
  -H 'Accept: application/json' \
  -H 'Content-Type: application/json' \
  -d '{
  "grant_type": "password",
  "username": "john@example.com",
  "password": "s3creT",
  "client_id": "{{your_client_id}}",
  "scope": "market:id:xYZkjABcde"
}'

On success, the API responds with a 200 OK status code, returning the requested access token and owner info, along with a :

{
    "access_token": "acC3sSt0K3Nwrt6kic7.abc4bnm5...",
    "token_type": "bearer",
    "expires_in": 14400,
    "refresh_token": "r3fResHt0k3nvbn7mnr9ert123",
    "scope": "market:id:xYZkjABcde",
    "created_at": 123456789,
    "owner_id": "zxcVBnMASd",
    "owner_type": "customer"
}
including a scope
refresh token