Session-aware access tokens

Learn how to create session-aware access tokens.

The session-aware access token links a Global Commerce shopper session to an access token as well as provide the ability to continue a shopper workflow with a previously established shopper session.
To create a session-aware access token, use the sessionToken query parameter or dr_session_token form parameter, depending on the workflow.
You must provide a session-aware token when transitioning a shopper from a 3rd-party application to a Digital River-hosted checkout experience to complete an online purchase.
You can create a session-aware token by either sending a browser call or a request to the Token endpoint in either the Shopper API or the OAuth API.
If you provide a session token when generating an access token, the system creates a new shopper session.
You can choose one of the following options to create a session-aware access token:
​Creating an anonymous shopper token for a site with an API key​
​Creating an anonymous shopper token for a site via OAuth 2.0​
Creating an anonymous shopper token for a site with an API key
Establish an anonymous shopper (limited access) token in a single call by passing in your API key to the sessionToken site action.
You must include the sessionToken site action. The sessionToken site action MUST come from the client side (the shopper's browser). You can do this via ajax and as shown in the following example.
Example
function sessionToken() {
       $.ajax({
          url: "https://store.digitalriver.com/store/[siteID]/SessionToken?apiKey=[apiKey]]&format=json",
           type: 'GET',
           async: false,
           contentType: "application/json",
           dataType: "jsonp",
            error: function (data) {
            },
            success: function (data) {
             }
        });
}
Creating an anonymous shopper token for a site via OAuth 2.0
This example requires two calls; one to get the session token, and another to create the access token.
Step 1: Get a dr_session_token from the sessionToken site action with no API key
You must include the sessionToken site action and it MUST come from the client side (the shopper's browser). You can do this via ajax, as shown in the following example.
Example
function sessionToken() {
       $.ajax({
          url: "https://store.digitalriver.com/store/[siteID]/SessionToken?format=json",
           type: 'GET',
           async: false,
           contentType: "application/json",
           dataType: "jsonp",
            error: function (data) {
            },
            success: function (data) {
             }
        });
}
Step 2: POST the dr_session_token to the oauth20 resource, to get an anonymous shopper token.
URI
Response body
curl --location -g --request POST 'https://api.digitalriver.com/oauth20/token' \
--header 'Authorization: bearer {{access_token}}' \
...
--data-raw '{
    dr_session_token: [from step #1)
    grant_type: password
    format:json
}'
{
  "token": {
    "access_token": "96c44081d5ee98a7545ede88de966f0f371112b939b503219575572b5054be5b52b...",
    "token_type": "bearer",
    "expires_in": "86397",
    "refresh_token": "96c44081d5ee98a7545ede88de966f0f371112b939b503219575572b5054be5b8f5..."
  }
}
The time-to-live (TTL) value for expires_in respects the user session site settings in Global Commerce. In this example, the token for the site expires in 86397 seconds (24 hours).

Access tokens

Authorizing a shopper

Last modified 5mo ago