API Reference
Roles and permissions
How to set specific permitted actions for each resource
Commerce Layer supports a granular access control system on a resource level. Each access token gets a specific set of permissions. The client and the authorization flow determine your permitted actions for each resource.

Sales channel

Sales channel applications support client_credentials, password and refresh_token grant types. Given their limited permissions, they can be safely used in client-side applications.

Client credentials

Sales channel applications that authenticate through client_credentials get the following permissions.
For security reasons sales channel applications can read resource lists only for skus, sku_options, prices, promotions and bundles. Getting a list is not allowed for all the other resources. For example, a sales channel is authorized to get /api/orders/xYZkjABcde but not /api/orders endpoint.
Resource
Create
Read
Update
Delete
Restrictions
Addresses
Single resource only.
Application
The application you're currently using.
Bundles
Bundles associated with the market in scope.
Customers
Customer subscriptions
Single resource only.
Delivery lead times
Delivery lead times associated with the shipping methods enabled for the market in scope.
Geocoders
Single resource only.
Gift cards
If "draft" (single resource only).
Gift card recipients
Single resource only.
In-stock subscriptions
In-stock subscriptions associated with the market in scope.
Line items
Can be read if belonging to "draft", "pending" or "placed" orders and updated/deleted if belonging to "draft" or "pending" orders (single resource only).
Line item options
Can be read if belonging line items associated with "draft", "pending" or "placed" orders and updated/deleted if belonging to line items associated with "draft" or "pending" orders (single resource only).
Orders
Can be read if "draft", "pending" or "placed" and updated if "draft" or "pending" (single resource only).
Organization
Your current organization.
Payment methods
Enabled payment methods associated with the market in scope.
Payment sources
Can be read if belonging to "draft", "pending" or "placed" orders and updated/deleted if belonging to "draft" or "pending" orders (single resource only).
Prices
Prices associated with the market price list.
Promotions
Active promotions associated with the market in scope.
Promotion rules
Promotion rules associated with the market in scope (single resource only).
Returns
Can be created for orders associated with the market in scope and updated if in "draft" status (single resource only).
Return Line Items
Return line items associated with the market in scope (single resource only).
Shipments
Can be read if belonging to "draft", "pending" or "placed" orders and updated if belonging to "draft" or "pending" orders (single resource only).
Shipment line items
Can be read if belonging to shipments associated with "draft", "pending" or "placed" orders (single resource only).
Shipping methods
Enabled shipping methods associated with the market in scope.
SKUs
SKUs with stock items in the market inventory model and a price in the market price list.
SKU options
SKU options associated with the market in scope.
SKU lists
Single resource only.
SKU list items
Single resource only.
Stock items
SKU items belonging to the stock locations associated with the market in scope.
Stock transfers
Can be read if belonging to shipments associated with "draft", "pending" or "placed" orders (single resource only).

Password

Sales channel applications can authenticate a customer through the password flow. The access tokens that they get include the sum of the client permissions plus the ones below.
Resource
Create
Read
Update
Delete
Restrictions
Customers
The customer must be the authenticated resource owner.
Customer addresses
The customer must be the authenticated resource owner.
Customer payment sources
The customer must be the authenticated resource owner.
Customer subscriptions
The customer must be the authenticated resource owner.
Line items
The line items must belong to one of the customer's orders.
Line item options
The line item options must belong to one of the line items associated with one of the customer's orders.
Orders
The customer must be the authenticated resource owner.
Order subscriptions
The subscriptions must be associated with one of the customer's orders.
Parcels
The parcels must belong to one of the customer's orders.
Shipments
The shipments must belong to one of the customer's orders.

Refresh token

An access token obtained through a refresh_token inherit the same set of permissions as the one that expired.

Integration

Integration applications support the client_credentials grant type. The access tokens that they get include the set of permissions of their role.

Webapp

Webapp applications support authorization_code and refresh_token grant types. They don't bring any grants to the access tokens, and get the set of permissions of to the authenticated user's role. Access tokens obtained through a refresh_token inherit the same set of permissions as the one that expired.

Other application types

Other application types (such as Zapier, Contentful, DatoCMS, etc.) have more straightforward authorization rules and get the right amount of permissions that are required by the relevant tool.
Commerce Layer Zapier app is currently private. Feel free to accept this invitation and start building your zaps!
Last modified 24d ago