Skip to content
Branch: master
Find file History
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.


All requests to the API need to be accompanied by an authorization header with an authentication token:

Authorization: Bearer 212LJ3k0i2382364HIUEjfeJB98yvH

Authentication token gives permissions for the client to access their data, and is used to authenticate a request to the API endpoint.

{% hint style="info" %} Read our Quick Start guide on how to make your first API request. {% endhint %}

Authentication tokens are generated via the authentication endpoint and expire within 1 hour. They need to be then regenerated. If you're using our JavaScript SDK this is automatically handled for you.

There are two main token types available for use within your store client_credentials and implicit. The implicit token is the more limited of the two, restricting access to mostly read-only, whereas client credential token has full read and write access.

{% hint style="warning" %} You should never use or disclose your client_secret in public. {% endhint %}

{% tabs %} {% tab title="Attributes" %} | Attribute | Type | Description | | :--- | :--- | :--- | | expires | timestamp | The epoch time that this token expires at. | | identifier | string | The type of token requested. This can be a client_credentials or implicit. | | expires_in | integer | The duration in seconds in which the token will expire. | | access_token | string | The access token you will use for subsequent authenticated requests to the API. | | token_type | string | Right now this will only be Bearer. | {% endtab %}

{% tab title="Sample Response" %}

  "expires": 1500638876,
  "identifier": "client_credentials",
  "expires_in": 3600,
  "access_token": "xa3521ca621113e44eeed9232fa3e54571cb08bc",
  "token_type": "Bearer"

{% endtab %} {% endtabs %}

Client credentials vs. implicit use case scenarios

Typically, you'd use the implicit authentication method for client-side browser based applications (i.e. frontend), and client credentials for all administrative tasks (CRUD) you'd need to perform at the backend.

Customer authentication

You may also use generate customer tokens to authenticate your customers with an email and password. You can use this to create and filter orders and addresses.

You can’t perform that action at this time.