Authorization
Authorization for the B2C Commerce API resources is handled not through user permissions, but through client permissions.
A client for the B2C Commerce API can take many forms: anything from an online storefront to custom merchandising tools.
To authorize this wide range of client types, we’ve defined a set of scopes based on the OAuth 2.1 standard. The available scopes give you control over exactly what clients are authorized to do with the SCAPI Admin APIs and Shopper APIs.
Not all endpoints use the same security scheme for authorization. Always check the Security section of the endpoint documentation, which is hidden by default.
Both the Admin and Shopper APIs are authorized using an access token in the form of a JSON Web Token (JWT).
Using JWTs offers the following benefits:
- Coarse-grained client permissions with read-only and read-write permissions.
- Allows you to grant the same permissions for multiple B2C Commerce instances.
- Standardized, mature, and established technology.
The JWT access tokens for both SCAPI Admin APIs and Shopper APIs are included in your API requests as an HTTP header that follows the Bearer authentication scheme.
The SCAPI Admin APIs and Shopper APIs each have their own mechanisms for setting up API clients and requesting access tokens.
| I need a... | Fastest path |
|---|---|
| Shopper API token | Create a SLAS client (guide), then call the /token endpoint (SLAS overview). |
| Admin API token | Create an API client in Account Manager (guide), then POST to oauth2/access_token. |
For a runnable example that fetches a token and calls an endpoint, see Make Your First Request.
- To set up SCAPI Admin API access, see the Authorization for Admin APIs guide.
- To set up Shopper API access, see the Authorization for Shopper APIs guide.
- For advanced SLAS topics (grant types, token types, refresh tokens), see the SLAS overview.
- Review the complete Authorization Scopes Catalog.