Learn how Commerce API authenticates requests.

Authentication is crucial to securing applications and ensuring access is granted only to authorized users. In the context of APIs, authentication mechanisms validate the identity of clients and shoppers trying to access resources. Various methods, such as API keys and OAuth tokens, are used to authenticate requests, each serving different purposes and levels of security.

Commerce API uses the OAuth 2.0 standard, aligning with the W3C guidelines to provide robust and secure authorization. This method empowers developers to interact with user accounts without compromising sensitive credentials, enhancing security and user experience.

Authentication differences

The Shopper APIs authenticate requests using API keys and an OAuth token for authorization. In contrast, Admin APIs only require API keys.

OAuth is an open protocol that provides secure authorization for web, mobile, and desktop applications. A third-party application can use the OAuth 2.0 authorization framework to obtain limited access to an HTTP service.

Note: Use the OAuth 2.0 authentication exclusively with the Commerce APIs.

Consumer-facing applications

Consumer-facing applications are software solutions designed to interact directly with end users. They must prioritize usability, security, and performance. Leveraging OAuth 2.0, they ensure secure access and authorization without exposing sensitive account credentials. Examples include web portals, mobile apps, desktop clients, and interactive web widgets.

Service providers

Service providers offer services or resources to end users, typically through APIs or web services. Using OAuth 2.0, they can securely manage access to their resources by granting limited access tokens to third-party applications. This ensures that sensitive data is not exposed and only authorized applications can interact with the services. Implementing OAuth 2.0 for service providers facilitates seamless and secure integration with various client applications.

Remember to:

  • Implement robust security measures to protect user data.

  • Use OAuth tokens to control access to your services.

  • Regularly review and update your OAuth configurations to stay compliant with best practices.

Last updated