How to Authenticate against Moltin API

Series

This constitutes a series of blogs about the Moltin API, an incredible eCommerce > API for developers, using powerful & flexible building blocks with no steep learning curve.


In this post I will explain the different kinds of authentication that Moltin supports, as well as how we can use each of them and what the differences are.


Assumptions

I'm assuming you have read our first post and you already have a Client ID and a Client Secret


Introduction

Moltin supports different kind of authentication, we'll call them grant types following oauth2, so you'll find different grant types to use depending on what you would like to achieve.

Another important term here is access_token once you are authenticated against the API you will receive an access_token that will allow you to start requesting data from the API.

Notice: Bear in mind that each access_token will be valid for an hour, after that you will need to re-authenticate

Grant Types

Moltin offers 4 grant types for authentication:

  • Client Credentials
  • Password
  • Implicit
  • Refresh Token

Because the nature of security of each of the different grant types will let you do different things, so you'll find that some of them will not let you access some API features, we'll call those restrictions scopes.

Client Credentials

This is the most common and most secure way to get an access token it will also give you access to all the scopes offered by the API so you will have total control over what you can do with your store.

Required paramaters
grant_type = client_credentials  
client_id = YOUR_CLIENT_ID  
client_secret = YOUR_CLIENT_SECRET  
Scopes

Read scopes:

products, categories, customers, cart, currencies, brands, collections, shipping, flows, orders, taxes, settings, statistics, checkout, promotions, files, addresses, gateways, emails, webhooks, transactions, accounts, admin, easter-eggs, languages, cache, customer-tokens  

Write scopes:

products, categories, customers, cart, currencies, brands, collections, shipping, flows, orders, taxes, settings, statistics, checkout, promotions, files, addresses, gateways, emails, webhooks, transactions, accounts, admin, easter-eggs, languages, cache, customer-tokens  

Password

This is not as secure as client_credentials as you will be sending and unencrypted password when requesting the access token.

Require params
grant_type = password  
username = YOUR_USER_NAME  
password = YOUR_PASSWORD  
Scopes

Read scopes:

products, categories, customers, cart, currencies, brands, collections, shipping, flows, orders, taxes, settings, statistics, checkout, promotions, files, addresses, gateways, emails, webhooks, transactions, accounts, easter-eggs, languages, cache customer-tokens  

Write scopes:

products, categories, customers, cart, currencies, brands, collections, shipping, flows, orders, taxes, settings, statistics, checkout, promotions, files, addresses, gateways, emails, webhooks, transactions, accounts, easter-eggs, languages, cache, customer-tokens  

Implicit

Normally used when you build something that will run on the client side for example when using Moltin's Javascript SDK.

The end user may have access to the client_id (becuase this is client side), this grant_type will have some limitations as defined by the scopes below. By not giving them access to the client_id and the client_secret we can limit any malicious activity on the store.

Require params
grant_type = implicit  
client_id = YOUR_CLIENT_ID  
Scopes

Read scopes:

products, categories, currencies, cart, checkout, brands, collections, shipping, flows, settings, statistics, taxes, files, addresses, easter-eggs, customer-tokens  

Write scopes:

cart, checkout, easter-eggs, customer-tokens  

Refresh Token

When authenticating using the password grant type and to increase the security when using this kind of authentication you will be provided by an refresh_token that you can use as a grant_type to request a new token when the access_token obtained by the password grant_type expires.

In this way you don't have to authenticate again using the password.

Notice: You will only receive a refresh_token when authenticating with a password grant type

Require params
grant_type = refresh_token  
refresh_token = YOUR_REFRESH_TOKEN  
Scopes

Read scopes:

products, categories, customers, cart, currencies, brands, collections, shipping, flows, orders, taxes, settings, statistics, checkout, promotions, files, addresses, gateways, emails, webhooks, transactions, accounts, easter-eggs, languages, cache, customer-tokens  

Write scopes:

products, categories, customers, cart, currencies, brands, collections, shipping, flows, orders, taxes, settings, statistics, checkout, promotions, files, addresses, gateways, emails, webhooks, transactions, accounts, easter-eggs, languages, cache, customer-tokens  

Example

Client Credentials

An example curl request to get an access_token needed to request data from the API.

curl --data 'grant_type=client_credentials&client_id=YOUR_CLIENT_ID&client_secret=YOUR_CLIENT_SECRET' https://api.molt.in/oauth/access_token  

Accesing to the products endpoint:

curl -X GET http://api.molt.in/v1/products -H "Authorization: Bearer YOUR_ACCESS_TOKEN"  

Password

An example curl request to get an access_token needed to request data from the API.

curl --data 'grant_type=password&username=YOUR_USERNAME&password=YOUR_PASSWORD' https://api.molt.in/oauth/access_token  

Accesing to the products endpoint:

curl -X GET http://api.molt.in/v1/products -H "Authorization: Bearer YOUR_ACCESS_TOKEN"  

Implicit

An example curl request to get an access_token needed to request data from the API.

curl --data 'grant_type=implicit&client_id=YOUR_CLIENT_ID' https://api.molt.in/oauth/access_token  

Accesing to the products endpoint:

curl -X GET http://api.molt.in/v1/products -H "Authorization: Bearer YOUR_ACCESS_TOKEN"  

Refresh Token

An example curl request to get an access_token needed to request data from the API.

curl --data 'grant_type=refresh_token&refresh_token=YOUR_REFRESH_TOKEN' https://api.molt.in/oauth/access_token  

Accessing the products endpoint:

curl -X GET http://api.molt.in/v1/products -H "Authorization: Bearer YOUR_ACCESS_TOKEN"  

Resources