Authorization for the Salesforce Commerce API resources is handled not through user permissions, but through client permissions.
A client for the Commerce API can take many forms: anything from an online storefront to custom merchandising tools.
To authorize this wide range of client types, we’ve defined a set of scopes based on the OAuth 2 standard. The available scopes give you control over exactly what clients are authorized to do with the Admin APIs and Shopper APIs.
Both the Admin and Shopper APIs are authorized using an access token in the form of a JSON Web Token (JWT).
Using JWTs offers the following benefits:
- Coarse-grained client permissions with read-only and read-write permissions.
- Allows you to grant the same permissions for multiple B2C Commerce instances.
- Standardized, mature, and established technology.
The JWT access tokens for both Admin APIs and Shopper APIs are included in your API requests as an HTTP header that follows the Bearer authentication scheme.
Although both Admin APIs and Shopper API use JWT access tokens, each group of APIs has its own mechanism for setting up API clients and requesting an access token.