OAuth
Learn how to authenticate to use the Store API
If you integrate with our OAuth service, you can make API requests on your member's behalf, without your member having to share their credentials with you. This unlocks building a headless members area.
The first step is to configure your OAuth application client which you manage through your organisation settings here. You'll be asked to configure your redirect_uri and give it a name, the first time you create your application you will be shown you client_id and client_secret which should be stored securely.
Authorizing as a member
GET {store}/oauth/authorize
Send the user to the authorize URL on the desired store.
response_type
Always code
client_id
The client_id from your application client.
redirect_uri
One of the pre-configured redirect_uri from your application client. The user will be redirected here on success.
state
Exchanging the code for a token
POST {store}/token
On successful authorization, the user will be redirected to the specified redirect_uri with a code and state parameter. You should use this endpoint to exchange the code for an access token.
Body
client_id
The client_id from your application client.
client_secret
The client_secret from your application client.
grant_type
Always authorization_code
redirect_uri
The redirect_uri that was used to redirect the user.
Response
{
"token_type": "Bearer",
"expires_in": 3600,
"access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJhdWQiOiI4YjU1ZDk3MjJlMDk0ODRlZWM2ZWQ2NzVkODM1MjViMiIsImp0aSI6IjRiMTRlYTJlMDVlN2Q2NmNlNDg4Yzk4NDY0NTEyNjYxOWQzMDU0NTY1MDdiZmJmYzZkMzlhZTdlMDBjNTNmYmIwNDJlZTA2MzdjMTg0YmU4IiwiaWF0IjoxNzUwNzAxMjI0LjI5NzQ5NiwibmJmIjoxNzUwNzAxMjI0LjI5NzUwMiwiZXhwIjoxNzUwNzA0ODI0LjI3MDYzMSwic3ViIjoiZnJlZGRkZGR5eXkrbXltZW1iZXJAZ21haWwuY29tIiwic2NvcGVzIjpbXX0.hnVZ-DIdkKE_VhmyOO5B3q-ISisc1sg2IpCgXhC3X96cxen1gvrFvtQ7GOC1HdTntMzg_DdzJ2WwmmhDyUtSm57UtYtrxbe6NwSv4OiBzC6aR7idKx7XlLu9Hp1gz0XHaDFrH_V2LCZvrf1Ygr6YyNaAavr6rWLq3I3SQ9Em02TCroghf5DWK4bp9jfWygChc7PWmWCni9TTQ5mV-VZrBGTGOalWf2u6_XuY93ua-QJvyKB7Apx1NGFmAtrVXFkUM9PY8XNasCGNEx2VRocUZB_TGjcxdkN1zIavc6ec69uCWj3bMkm5A49mio00slSqH6CGs7r5xevBNovWPNMprA",
"refresh_token": "def50200181222301b6f0c1c89e6db3a5f254de1d0a5d0324921f900407e5e0371a7375de0ba305393bcad3f3c65b48e361b928b0a71a27f764c20686dfe91f6591d67bde2f6f7199a64847e775f173922651f25c44fff7a7f1a092a412a7f63535559e89e5f37ec77dbf3a16ce82639e61a4ce8b5116e69669ea42724e2f23ca1097726508e5aa401f941a1dfc28821d83ed36dec9ea1d6c8654a8cb129aed0a77634eadf27c9c7c183c6498fb874c370ca967f5d1acba69b2fbb30d2820b092d3666924edb622b3ff95577129f52929bbe84742f1487cc018f07c685c1e5c4ff3a82b8e78e5fd8ace6336acda491f208c1b5b80509902ef6399fe0090813926af2c2fb73731719ff4e4d8a8324409c1154c032b45c45c9756f3e8d65ffe8cc9ea911b69980a8ebfa26e2e2eb8f2645e34405a35d0e7dfaf1f05243c247e4dddf67187ce7b3b16787664a35c0b0e5f5a5201f73fae2fc6b28ee91fafe2166e66204be98a872956fb7a657e60c29bb37d9534353a1f7b7cd28f15521e9494fb2bd212b3ba67487c684f5d40f5d713340a828cca1553e3dcf0ddb07847983c2"
}{
"error": "invalid_grant",
"error_description": "The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client.",
"hint": "Authorization code has expired"
}Using the access token
Include the access token when making any requests to the Store API, it is passed as the Authorization header with the value BEARER {access_token}
Last updated