This constitutes a series of blogs about the Moltin API, an incredible eCommerce > API for developers, using powerful & flexible building blocks with no steep learning curve.
In this post I will explain the different kinds of authentication that Moltin supports, as well as how we can use each of them and what the differences are.
I'm assuming you have read our first post and you already have a
Client IDand aClient Secret
Moltin supports different kind of authentication, we'll call them grant types following oauth2, so you'll find different grant types to use depending on what you would like to achieve.
Another important term here is access_token once you are authenticated against the API you will receive an access_token that will allow you to start requesting data from the API.
Notice: Bear in mind that each
access_tokenwill be valid for an hour, after that you will need to re-authenticate
Moltin offers 4 grant types for authentication:
- Client Credentials
- Password
- Implicit
- Refresh Token
Because the nature of security of each of the different grant types will let you do different things, so you'll find that some of them will not let you access some API features, we'll call those restrictions scopes.
This is the most common and most secure way to get an access token it will also give you access to all the scopes offered by the API so you will have total control over what you can do with your store.
grant_type = client_credentials
client_id = YOUR_CLIENT_ID
client_secret = YOUR_CLIENT_SECRET
Read scopes:
products, categories, customers, cart, currencies, brands, collections, shipping, flows, orders, taxes, settings, statistics, checkout, promotions, files, addresses, gateways, emails, webhooks, transactions, accounts, admin, easter-eggs, languages, cache, customer-tokens
Write scopes:
products, categories, customers, cart, currencies, brands, collections, shipping, flows, orders, taxes, settings, statistics, checkout, promotions, files, addresses, gateways, emails, webhooks, transactions, accounts, admin, easter-eggs, languages, cache, customer-tokens
This is not as secure as client_credentials as you will be sending and unencrypted password when requesting the access token.
grant_type = password
username = YOUR_USER_NAME
password = YOUR_PASSWORD
Read scopes:
products, categories, customers, cart, currencies, brands, collections, shipping, flows, orders, taxes, settings, statistics, checkout, promotions, files, addresses, gateways, emails, webhooks, transactions, accounts, easter-eggs, languages, cache customer-tokens
Write scopes:
products, categories, customers, cart, currencies, brands, collections, shipping, flows, orders, taxes, settings, statistics, checkout, promotions, files, addresses, gateways, emails, webhooks, transactions, accounts, easter-eggs, languages, cache, customer-tokens
Normally used when you build something that will run on the client side for example when using Moltin's Javascript SDK.
The end user may have access to the client_id (becuase this is client side), this grant_type will have some limitations as defined by the scopes below. By not giving them access to the client_id and the client_secret we can limit any malicious activity on the store.
grant_type = implicit
client_id = YOUR_CLIENT_ID
Read scopes:
products, categories, currencies, cart, checkout, brands, collections, shipping, flows, settings, statistics, taxes, files, addresses, easter-eggs, customer-tokens
Write scopes:
cart, checkout, easter-eggs, customer-tokens
When authenticating using the password grant type and to increase the security when using this kind of authentication you will be provided by an refresh_token that you can use as a grant_type to request a new token when the access_token obtained by the password grant_type expires.
In this way you don't have to authenticate again using the password.
Notice: You will only receive a
refresh_tokenwhen authenticating with apasswordgrant type
grant_type = refresh_token
refresh_token = YOUR_REFRESH_TOKEN
Read scopes:
products, categories, customers, cart, currencies, brands, collections, shipping, flows, orders, taxes, settings, statistics, checkout, promotions, files, addresses, gateways, emails, webhooks, transactions, accounts, easter-eggs, languages, cache, customer-tokens
Write scopes:
products, categories, customers, cart, currencies, brands, collections, shipping, flows, orders, taxes, settings, statistics, checkout, promotions, files, addresses, gateways, emails, webhooks, transactions, accounts, easter-eggs, languages, cache, customer-tokens
An example curl request to get an access_token needed to request data from the API.
curl --data 'grant_type=client_credentials&client_id=YOUR_CLIENT_ID&client_secret=YOUR_CLIENT_SECRET' https://api.molt.in/oauth/access_token
Accesing to the products endpoint:
curl -X GET http://api.molt.in/v1/products -H "Authorization: Bearer YOUR_ACCESS_TOKEN"
An example curl request to get an access_token needed to request data from the API.
curl --data 'grant_type=password&username=YOUR_USERNAME&password=YOUR_PASSWORD' https://api.molt.in/oauth/access_token
Accesing to the products endpoint:
curl -X GET http://api.molt.in/v1/products -H "Authorization: Bearer YOUR_ACCESS_TOKEN"
An example curl request to get an access_token needed to request data from the API.
curl --data 'grant_type=implicit&client_id=YOUR_CLIENT_ID' https://api.molt.in/oauth/access_token
Accesing to the products endpoint:
curl -X GET http://api.molt.in/v1/products -H "Authorization: Bearer YOUR_ACCESS_TOKEN"
An example curl request to get an access_token needed to request data from the API.
curl --data 'grant_type=refresh_token&refresh_token=YOUR_REFRESH_TOKEN' https://api.molt.in/oauth/access_token
Accessing the products endpoint:
curl -X GET http://api.molt.in/v1/products -H "Authorization: Bearer YOUR_ACCESS_TOKEN"