OAuth

Learn how to authenticate to use the Store API

If you integrate with our OAuth service, you can make API requests on your member's behalf, without your member having to share their credentials with you. This unlocks building a headless members area.

The first step is to configure your OAuth application client which you manage through your organisation settings here. You'll be asked to configure your redirect_uri and give it a name, the first time you create your application you will be shown you client_id and client_secret which should be stored securely.

Authorizing as a member

GET {store}/oauth/authorize

Send the user to the authorize URL on the desired store.

Query parameter

Value

response_type

Always code

client_id

The client_id from your application client.

redirect_uri

One of the pre-configured redirect_uri from your application client. The user will be redirected here on success.

state

Exchanging the code for a token

POST {store}/token

On successful authorization, the user will be redirected to the specified redirect_uri with a code and state parameter. You should use this endpoint to exchange the code for an access token.

Body

Name

Type

client_id

The client_id from your application client.

client_secret

The client_secret from your application client.

grant_type

Always authorization_code

redirect_uri

The redirect_uri that was used to redirect the user.

Response

{
    "token_type": "Bearer",
    "expires_in": 3600,
    "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJhdWQiOiI4YjU1ZDk3MjJlMDk0ODRlZWM2ZWQ2NzVkODM1MjViMiIsImp0aSI6IjRiMTRlYTJlMDVlN2Q2NmNlNDg4Yzk4NDY0NTEyNjYxOWQzMDU0NTY1MDdiZmJmYzZkMzlhZTdlMDBjNTNmYmIwNDJlZTA2MzdjMTg0YmU4IiwiaWF0IjoxNzUwNzAxMjI0LjI5NzQ5NiwibmJmIjoxNzUwNzAxMjI0LjI5NzUwMiwiZXhwIjoxNzUwNzA0ODI0LjI3MDYzMSwic3ViIjoiZnJlZGRkZGR5eXkrbXltZW1iZXJAZ21haWwuY29tIiwic2NvcGVzIjpbXX0.hnVZ-DIdkKE_VhmyOO5B3q-ISisc1sg2IpCgXhC3X96cxen1gvrFvtQ7GOC1HdTntMzg_DdzJ2WwmmhDyUtSm57UtYtrxbe6NwSv4OiBzC6aR7idKx7XlLu9Hp1gz0XHaDFrH_V2LCZvrf1Ygr6YyNaAavr6rWLq3I3SQ9Em02TCroghf5DWK4bp9jfWygChc7PWmWCni9TTQ5mV-VZrBGTGOalWf2u6_XuY93ua-QJvyKB7Apx1NGFmAtrVXFkUM9PY8XNasCGNEx2VRocUZB_TGjcxdkN1zIavc6ec69uCWj3bMkm5A49mio00slSqH6CGs7r5xevBNovWPNMprA",
    "refresh_token": "def50200181222301b6f0c1c89e6db3a5f254de1d0a5d0324921f900407e5e0371a7375de0ba305393bcad3f3c65b48e361b928b0a71a27f764c20686dfe91f6591d67bde2f6f7199a64847e775f173922651f25c44fff7a7f1a092a412a7f63535559e89e5f37ec77dbf3a16ce82639e61a4ce8b5116e69669ea42724e2f23ca1097726508e5aa401f941a1dfc28821d83ed36dec9ea1d6c8654a8cb129aed0a77634eadf27c9c7c183c6498fb874c370ca967f5d1acba69b2fbb30d2820b092d3666924edb622b3ff95577129f52929bbe84742f1487cc018f07c685c1e5c4ff3a82b8e78e5fd8ace6336acda491f208c1b5b80509902ef6399fe0090813926af2c2fb73731719ff4e4d8a8324409c1154c032b45c45c9756f3e8d65ffe8cc9ea911b69980a8ebfa26e2e2eb8f2645e34405a35d0e7dfaf1f05243c247e4dddf67187ce7b3b16787664a35c0b0e5f5a5201f73fae2fc6b28ee91fafe2166e66204be98a872956fb7a657e60c29bb37d9534353a1f7b7cd28f15521e9494fb2bd212b3ba67487c684f5d40f5d713340a828cca1553e3dcf0ddb07847983c2"
}

{
    "error": "invalid_grant",
    "error_description": "The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client.",
    "hint": "Authorization code has expired"
}

Using the access token

Include the access token when making any requests to the Store API, it is passed as the Authorization header with the value BEARER {access_token}

PreviousAPI Key NextErrors

Last updated 1 month ago