Skip to main content

Getting started

Documentation for all public and administrative Storefront APIs.

Note: Please check API Reference tab to see all the available storefront APIs.

Authentication

We use the OAuth 2.0 Authorization Framework to authenticate requests. When your Storefront account is provisioned, you will receive a pair of YOUR_CLIENT_ID and YOUR_CLIENT_SECRET that you need to keep for yourself. You use the YOUR_CLIENT_ID and YOUR_CLIENT_SECRET to authenticate yourself to Storefront, and receive an access token in exchange. That access token must be used in every API call you send.

caution

Never share your YOUR_CLIENT_SECRET!

note

Access tokens are short-lived, meaning: they expire within minutes. Once an access token expires, simply request a new access token by method described below.

User-Scoped and Tenant-Scoped Clients

There are two types of clients. User-scoped clients are always assigned to an individual user. Tenant-scoped clients can be used to execute an API request on behalf of another user.

A user-scoped client is required for APIs that require elevated permissions such as creating new catalogs or modifying vendors. For example, the Admin API requires a user-scoped client.

A tenant-scoped client can be used for APIs that are typically executed by a machine on behalf of a user. An example is to search for a product on behalf of some shopper. It would simply not be suitable to issue a client for each user, especially for organizations with thousands of users.

Tenant-scoped clients typically allow to pass the email address for which the request should be executed. Please refer to the actual documentation if and how a user-scoped or a tenant-scoped client are permitted.

Issuing an Access Token

There are 4 ways to get the access token and they are as follows.

1. Using authorization code

  • Step 1 - Get code by calling oauth/authorize API as follows
Examples
curl --location '<your domain>/oauth/authorize' \
--form 'response_type="code"' \
--form 'client_id="c6b39d0c-45e0-4917-bf37-27590918cb29"' \
--form 'email="user@storefront.run"' \
--form 'redirect_uri="<your redirect uri>"'
Parameters
ParameterDescription
response_typeSet this to code to get authorization code in return.
client_idYour Storefront Client ID. You can find this in the settings tab of your account.
emailOnly required if the Client is tenant-scoped.
Response

If everything goes well, you will be redirected to redirect uri with code and state params

{
  "code": "eJh62MC2n7dHp....dRKkiFvWDrYmDW1Y",
  "state": ""
}
Errors

In case of an error, you can use the HTTP status code and the response body to find out what went wrong.

HTTP Status CodeDescription
400 Bad RequestThe server understood your request but is unable to complete it, e.g. because a required parameter is missing.
401 UnauthorizedYou sent invalid credentials.
500 Internal Server ErrorSomething went wrong on our side.

The HTTP response body if formatted according to the OAuth 2.0 Specification Section 5.2.

Example:

{
  "error": "invalid_request",
  "error_description": "Invalid request"
}
  • Step 2 - Get access_token by calling oauth/token API as follows
Examples
curl --location '<your domain>/oauth/token' \
--data-urlencode 'grant_type=authorization_code' \
--data-urlencode 'client_id=c6b39d0c-45e0-4917-bf37-27590918cb29' \
--data-urlencode 'code=c1negPySlEqKBNlFsKxCOPaM_GA3e4-MPvx0Y7kAj6HabjQimP-rIJoP16EO0_FU' \
--data-urlencode 'redirect_uri=<your domain>'
Parameters
ParameterDescription
grant_typeSet this to authorization_code to get access token code in return using code.
client_idYour Storefront Client ID. You can find this in the settings tab of your account.
codePass the code that we received in step-1.
redirect_urilRedirect uri
Response

If everything goes well, you will receive the access token in response.

{
  "access_token": "wwHIT96o-D5gkH2t0i7s....ONChtZ6R0d_Ww-LhAk",
  "token_type": "bearer",
  "expires_in": 899,
  "refresh_token": "PeBKxIP-Th-xG2Pbwyx4mo....gHUFAV-uD-W4EEU9bCLWsWiMC"
}
Errors

In case of an error, you can use the HTTP status code and the response body to find out what went wrong.

HTTP Status CodeDescription
400 Bad RequestThe server understood your request but is unable to complete it, e.g. because a required parameter is missing.
401 UnauthorizedYou sent invalid credentials.
500 Internal Server ErrorSomething went wrong on our side.

The HTTP response body if formatted according to the OAuth 2.0 Specification Section 5.2.

Example:

{
  "error": "invalid_request",
  "error_description": "Invalid request"
}

2. Using client credentials

To get access token using client credentials, call the oauth/token api as follows

Examples
curl --location '<your domain>/oauth/token' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_id=c6b39d0c-45e0-4917-bf37-27590918cb29' \
--data-urlencode 'client_secret=TTR2P4ES6cpfB2to4L6G4m2xzBm695hhMh1rg93B0DxKMNiw9n7aa9LU7316u68Z'
Parameters
ParameterDescription
grant_typeSet this to client_credentials to get access token code.
client_idYour Storefront Client ID. You can find this in the settings tab of your account.
client_secretYour storefront client secret
note

The above params can be passed in json body as well. client_id and client_secret can be passed in Authorization header Basic <base64 encode value of client_id:client_secret>

Response

If everything goes well, you will receive the access token in response.

{
  "access_token": "wwHIT96o-D5gkH2t0i7s....ONChtZ6R0d_Ww-LhAk",
  "token_type": "bearer",
  "expires_in": 899
}
Errors

In case of an error, you can use the HTTP status code and the response body to find out what went wrong.

HTTP Status CodeDescription
400 Bad RequestThe server understood your request but is unable to complete it, e.g. because a required parameter is missing.
401 UnauthorizedYou sent invalid credentials.
500 Internal Server ErrorSomething went wrong on our side.

The HTTP response body if formatted according to the OAuth 2.0 Specification Section 5.2.

Example:

{
  "error": "invalid_request",
  "error_description": "Invalid request"
}

3. Using JWT token

To get access token using JWT token, first need to create a JWT token using follwing parameters -

  • Algorithm - HS256
  • Payload
{
  "sub": "email@storefront.run", // user email
  "iss": "c6b39d0c-45e0-4917-bf37-27590918cb29", // storefront client id
  "name": "username", // username
  "iat": 1708072005, // created at
  "view": "external_view"
}
  • User client_secret to add the signature. Check jwt.io for more details.
  • You have the encoded token which can be passed to the /oauth/token api to get the access token as follows
  • The view can be either not passed(nil - consider user's view) or ""(empty - consider tenant's default view) or external view ID(consider input passed view).
Examples
curl --location '<your domain>/oauth/token' \
--data-urlencode 'grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer' \
--data-urlencode 'assertion=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJyb290QHN0b3JlZnJvbnQucnVuIiwiaXNzIjoiYzZiMzlkMGMtNDVlMC00OTE3LWJmMzctMjc1OTA5MThjYjI5IiwibmFtZSI6InJvb3QiLCJpYXQiOjE3MDgwNzIwMDV9.JaFkajBD1_mLQPYnLZYny8aeYr3Y_S7qy6eBqnQamjU'
Parameters
ParameterDescription
grant_typeSet this to urn:ietf:params:oauth:grant-type:jwt-bearer to get access token code.
assertionJWT token created using above mentioned steps
Response

If everything goes well, you will receive the access token in response.

{
  "access_token": "sJOTniniSo6XO7....enbrh7nBJd6bMo1DsuVMz",
  "token_type": "bearer",
  "id_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3Mi.......JcF0ey4MuhQLE",
  "expires_in": 899
}
Errors

In case of an error, you can use the HTTP status code and the response body to find out what went wrong.

HTTP Status CodeDescription
400 Bad RequestThe server understood your request but is unable to complete it, e.g. because a required parameter is missing.
401 UnauthorizedYou sent invalid credentials.
500 Internal Server ErrorSomething went wrong on our side.

The HTTP response body if formatted according to the OAuth 2.0 Specification Section 5.2.

Example:

{
  "error": "invalid_request",
  "error_description": "Invalid request"
}

4. Using refresh token

The refresh token received in the response in the method 1(using authorization code) can be used to get the access token as follows

Examples
curl --location '<your domain>/oauth/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=refresh_token' \
--data-urlencode 'refresh_token=eww5FRYG2m990xXW9K9VamCwNEJ1JyUIWVRfkLOXOK7jFC-BzwPtEH3ya4jQiKvW' \
--data-urlencode 'client_id=c6b39d0c-45e0-4917-bf37-27590918cb29' \
--data-urlencode 'client_secret=TTR2P4ES6cpfB2to4L6G4m2xzBm695hhMh1rg93B0DxKMNiw9n7aa9LU7316u68Z'
Parameters
ParameterDescription
grant_typeSet this to refresh_token to get access token code.
refresh_tokenRefresh token received in the response when you got the access token
client_idYour Storefront Client ID. You can find this in the settings tab of your account.
client_secretYour storefront client secret
note

client_id and client_secret can be passed in Authorization header Basic <base64 encode value of client_id:client_secret>

Response

If everything goes well, you will receive the access token in response.

{
  "access_token": "zwV_jKipfJfVlKO6vLUWm...711B0L_dL",
  "token_type": "bearer",
  "expires_in": 899,
  "refresh_token": "eww5FRYG2m990xXW9K9VamCw...BzwPtEH3ya4jQiKvW"
}
Errors

In case of an error, you can use the HTTP status code and the response body to find out what went wrong.

HTTP Status CodeDescription
400 Bad RequestThe server understood your request but is unable to complete it, e.g. because a required parameter is missing.
401 UnauthorizedYou sent invalid credentials.
500 Internal Server ErrorSomething went wrong on our side.

The HTTP response body if formatted according to the OAuth 2.0 Specification Section 5.2.

Example:

{
  "error": "invalid_request",
  "error_description": "Invalid request"
}