Sign up for free
Search…
API Reference
Introduction
Getting started
Authentication
Client credentials
Password
Authorization code
Refresh token
Roles and permissions
Fetching resources
Including associations
Sparse fieldsets
Sorting results
Pagination
Filtering data
Creating resources
Updating resources
Deleting resources
Importing resources
External resources
Handling errors
Real-time webhooks
Callbacks security
Resources
Addresses
Adjustments
Adyen gateways
Adyen payments
Applications
Attachments
Authorizations
Avalara accounts
Billing info validation rules
Bing geocoders
Braintree gateways
Braintree payments
Bundles
Captures
Carrier accounts
Checkout com gateways
Checkout com payments
Coupon codes promotion rules
Coupon recipients
Coupons
Customer addresses
Customer groups
Customer password resets
Customer payment sources
Customer subscriptions
Customers
Delivery lead times
Event callbacks
External gateways
External payments
External promotions
External tax calculators
Fixed amount promotions
Fixed price promotions
Free gift promotions
Free shipping promotions
Geocoders
Gift card recipients
Gift cards
Google geocoders
Imports
In stock subscriptions
Inventory models
Inventory return locations
Inventory stock locations
Line item options
Line items
Manual gateways
Manual tax calculators
Markets
Merchants
Order amount promotion rules
Order copies
Order subscriptions
Order validation rules
Orders
Organizations
Packages
Parcel line items
Parcels
Payment gateways
Payment methods
Paypal gateways
Paypal payments
Percentage discount promotions
Price lists
Prices
Promotion rules
Promotions
Refunds
Return line items
Returns
Shipments
Shipping categories
Shipping methods
Shipping zones
SKU list items
SKU list promotion rules
SKU lists
SKU options
SKUs
Stock items
Stock line items
Stock locations
Stock transfers
Stripe gateways
Stripe payments
Tax calculators
Tax categories
Tax rules
Taxjar accounts
Transactions
Voids
Webhooks
Wire transfers
Refresh token
How to execute the authorization flow and get your access token
The refresh_token grant type is used by clients to exchange a refresh token for an expired access token.
Sales channel applications can use the refresh_token grant type to refresh a customer's access token with a "remember me" option. Webapp applications can use the refresh_token grant type to refresh the access token skipping the authorization code step.
A refresh token can be revoked before its natural expiration date.

Getting an access token

To get an access token using the refresh_token grant type, send a POST request to the /oauth/token endpoint, passing the application credentials in the request body.

Request

POST https://yourdomain.commercelayer.io/oauth/token

Arguments

Body parameter
Type
Required
Description
grant_type
string
Required
refresh_token
refresh_token
string
Required
A valid refresh_token
client_id
string
Required
Your application client_id
client_secret
string
Optional
Your application client_secret (required in case of authorization code flow)

Examples

Sales channel application with password flow

Request
Response
The following request tries to exchange a valid refresh token for an expired access token:
1
curl -g -X POST \
2
'https://yourdomain.commercelayer.io/oauth/token' \
3
-H 'Accept: application/json' \
4
-H 'Content-Type: application/json' \
5
-d '{
6
"grant_type": "refresh_token",
7
"refresh_token": "your-refresh-token",
8
"client_id": "your-client-id"
9
}'
Copied!
On success, the API responds with a 200 OK status code, returning the requested access token and customer info:
1
{
2
"access_token": "your-access-token",
3
"token_type": "bearer",
4
"expires_in": 7200,
5
"refresh_token": "your-new-refresh-token",
6
"scope": "market:1234",
7
"created_at": 123456789,
8
"owner_id": "zxcVBnMASd",
9
"owner_type": "customer"
10
}
Copied!
The returned scope is the same passed in the request you made to get your-refresh-token.

Webapp application with authorization code flow

Request
Response
The following request tries to exchange a valid refresh token for an expired access token:
1
curl -g -X POST \
2
'https://yourdomain.commercelayer.io/oauth/token' \
3
-H 'Accept: application/json' \
4
-H 'Content-Type: application/json' \
5
-d '{
6
"grant_type": "refresh_token",
7
"refresh_token": "your-refresh-token",
8
"client_id": "your-client-id",
9
"client_secret": "your-client-secret"
10
}'
Copied!
On success, the API responds with a 200 OK status code, returning the requested access token and customer info:
1
{
2
"access_token": "your-access-token",
3
"token_type": "bearer",
4
"expires_in": 7200,
5
"refresh_token": "your-new-refresh-token",
6
"scope": "market:1234",
7
"created_at": 123456789,
8
"owner_id": "zxcVBnMASd",
9
"owner_type": "customer"
10
}
Copied!
The returned scope is the same (if any) passed in the request you made to get your-refresh-token.

Revoking a refresh token

To revoke a refresh token, send a POST request to the /oauth/revoke endpoint, passing the required parameters in the request body.

Request

POST https://yourdomain.commercelayer.io/oauth/revoke

Arguments

Body parameter
Type
Required
Description
client_id
string
Required
Your application client_id
token
string
Required
A valid refresh_token

Example

Request
Response
The following request revokes a refresh token, before its natural expiration date:
1
curl -g -X POST \
2
'https://yourdomain.commercelayer.io/oauth/revoke' \
3
-H 'Accept: application/json' \
4
-H 'Content-Type: application/json' \
5
-d '{
6
"client_id": "your-client-id",
7
"token": "your-refresh-token"
8
}'
Copied!
On success, the API responds with a 200 OK status code, returning an empty object.
Previous
Authorization code
Next
Roles and permissions
Last modified 1mo ago
Copy link
Contents
Getting an access token
Request
Arguments
Examples
Revoking a refresh token
Request
Arguments
Example