Authentication
All API endpoints require authentication. To authenticate your request, you will need to provide an access token. Access tokens are generated via an authentication API endpoint.
After creating an access token, you can authenticate your request by sending the access token in the Authorization header of your request:
Authorization: Bearer 212LJ3k0i2382364HIUEjfeJB98yvH
Read our Quick Start guide on how to make your first API request.
Access tokens expire after 1 hour. You will have to generated a new one. If you’re using our JavaScript SDK, this is automatically handled for you.
Client Credentials vs. Implicit Use Case Scenarios
There are two authentication methods, client_credentials and implicit. The implicit authentication will generate an access token that has more limited access, restricting access to mostly read-only, whereas the access token from client_credentials has full read and write access. Typically, you would use the implicit authentication method for client-side browser based applications (i.e. frontend), and client_credentials for all administrative tasks (CRUD) you need to perform at the backend.
Shopper Authentication
An implicit access token is often used alongside an Account Management authentication token or a Customer token to access resources restricted to a shopper.
Account Authentication
Account Management authentication tokens are available for anyone using the Account Management APIs.
For each element in the list returned by the account member authentication API, a token value is returned. In order for a shopper to authenticate as the account, this value should be set as the EP-Account-Management-Authentication-Token header when calling Commerce. This header grants access to additional resources associated with the account, such as carts, orders, catalogs with associated rules, and addresses.
The set of permissions available to a shopper using an Account Management Authentication token is documented in Permissions.
For more information on implementing account management authentication tokens, see Account Management Authentication Tokens.
Customer Authentication
Customer tokens are available for anyone using the Customer APIs.
A customer token provides access to the records of the customer. Use single sign-on or the email address and password of the customer to retrieve the customer tokens. The customer token should be set as the X-Moltin-Customer-Token header to access the following APIs:
- Get a Customer
- Update a Customer
- Get Customer Addresses
- Get an Address
- Create an Address
- Update an Address
- Get all Orders
- Get an Order
- Get Customer Carts
- Create an Association between a Customer and a Cart
- Delete an Association Between a Customer and a Cart
- Add Promotion to Cart
For more information on implementing customer tokens, see Customer Tokens.
Authenticating for Use on the Documentation site
In order to perform any of the API requests directly on the documentation site, you will need to authenticate to get an access token. After the first request, any subsequent request will continue to use the same access token.
License
MIT