Authorization for the B2C Commerce API resources is handled not through user permissions, but through client permissions.

A client for the B2C Commerce API can take many forms: anything from an online storefront to custom merchandising tools.

To authorize this wide range of client types, we’ve defined a set of scopes based on the OAuth 2.1 standard. The available scopes give you control over exactly what clients are authorized to do with the Admin APIs and Shopper APIs.

Not all endpoints use the same security scheme for authorization. Always check the Security section of the endpoint documentation, which is hidden by default.

Both the Admin and Shopper APIs are authorized using an access token in the form of a JSON Web Token (JWT).

Using JWTs offers the following benefits:

  • Coarse-grained client permissions with read-only and read-write permissions.
  • Allows you to grant the same permissions for multiple B2C Commerce instances.
  • Standardized, mature, and established technology.

The JWT access tokens for both Admin APIs and Shopper APIs are included in your API requests as an HTTP header that follows the Bearer authentication scheme.

The Admin APIs and Shopper APIs each have their own mechanisms for setting up API clients and requesting access tokens.