Glue API authentication and authorization

Edit on GitHub

This is a document related to the Old Glue infrastructure. For the new one, see Decoupled Glue API

Protected resources in Spryker Glue API require user authentication. For the authentication, Spryker implements the OAuth 2.0 mechanism. On the REST API level, it is represented by the Login API.

To get access to a protected resource, a user obtains an access token. An access token is a JSON Web Token used to identify a user during API calls. Then, they pass the token in the request header.


For security purposes, access tokens have a limited lifetime. When retrieving an access token, the response body also contains the token’s lifetime, in seconds. When the lifetime expires, the token can no longer be used for authentication.

There is also a refresh token in the response. When your access token expires, you can exchange the refresh token for a new access token. The new access token also has a limited lifetime and a new refresh token.

The default lifetime of the access tokens is 8 hours (28800 seconds) and 1 month (2628000 seconds) of the refresh tokens.

For security purposes, when you finish sending requests as a user, or if a token gets compromised, we recommend revoking the refresh token. Revoked tokens are marked as expired on the date and time of the request and can no longer be exchanged for access tokens.

Expired tokens are stored in the database, and you can configure them to be deleted.

Protected resources

Below, you can find a list of the default protected resources. As Glue API is highly customizable, a shop is likely to have its own list of protected resources. To avoid extra calls, we recommend retrieving protected resources of the shop before you start working with the API or setting up a flow.

Customer: Retrieve a customer GET /customers/{{customer_reference}}
Customers: Update customer address PATCH /customers/{{customer_id}}/addresses/{{address_id}}
Customers: Delete customer address DELETE ​/customers​/{{customer_id}}​/addresses​/{addressId}
Customers: Retrieve list of all customer addresses GET ​/customers​/{{customer_id}}​/addresses
Customers: Create customer address POST /customers/{{customer_id}}/addresses
Customers: Retrieve customer data GET /customers/{{customerId}}
Customers: Update customer data PATCH /customers/{{customerId}}
Customers: Anonymize customers DELETE /customers/{{customerId}}
Customer password: Update customer password PATCH /customer-password/{{customerPasswordId}}
Cart codes: Add code to cart. GET /carts/{{cartId}}/cart-codes
Cart codes: Delete code from cart DELETE /carts/{{cartId}}/cart-codes/{code}
Carts: Retrieve cart by id GET /carts/{{cartId}}
Carts: Update a cart PATCH /carts/{{cartId}}
Carts: Delete cart by id DELETE /carts/{{cartId}}
Carts: Retrieve list of all customer’s carts GET /carts
Carts: Create cart POST /carts
Items: Add item to cart POST /carts/{{cartId}}/items
Items: Update cart item quantity PATCH /carts/{{cartId}}/items/{{itemId}}
Items: Remove item from cart DELETE /carts/{{cartId}}/items/{{itemId}}
Companies: Retrieve company by id GET /companies/{{companyId}}
Companies: Retrieve company collection GET /companies
Company business unit addresses: Retrieve company business unit address by id GET /company-business-unit-addresses/{{companyBusinessUnitAddressId}}
Company business unit addresses: Retrieve company business unit addresses collection GET /company-business-unit-addresses
Company roles: Retrieve company role by id GET /company-roles/{{companyRoleId}}
Company roles: Retrieve company role collection GET /company-roles
Company user access token: Create access token for company user POST /company-user-access-tokens
Company users: Retrieve company user by id GET /company-users/{{companyUserId}}
Company users: Retrieve list of company users GET /company-users
Orders: Retrieve order by id GET /orders/{{orderId}}
Orders: Retrieve list of orders GET /orders
Product reviews: Create product review POST /abstract-products/{{abstractProductId}}/product-reviews
Refresh tokens: Revoke customer’s refresh token DELETE /refresh-tokens/{{refreshTokenId}}
Returns: Retrieve return by id GET /returns/{{returnld}}
Returns: Retrieve list of returns GET /returns
Returns: Create return POST /returns
Shared-carts: Share cart POST /carts/{{cartld}}/shared-carts
Shared-carts: Update permission group for shared cart PATCH /shared-carts/{{sharedCartId}}
Shared-carts: Delete cart sharing DELETE /shared-carts/{{sharedCartId}}
Shopping list items: Add shopping list item POST /shopping-lists/{{shoppingListId}}/shopping-list-items
Shopping list items: Update shopping list item PATCH /shopping-lists/{{shoppingListId}}/shopping-list-items
Shopping list items: Delete shopping list item DELETE /shopping-lists/{{shoppingListId}}/shopping-list-items
Shopping lists: Retrieve shopping list by id GET /shopping-lists/{{shoppingListId}}
Shopping lists: Update shopping list by id PATCH /shopping-lists/{{shoppingListId}}
Shopping lists: Delete shopping list by id DELETE /shopping-lists/{{shoppingListId}}
Shopping lists: Retrieve list of all customer’s shopping lists GET /shopping-lists
Shopping lists: Create shopping list POST /shopping-lists
Up-selling products: Retrieve list of all up-selling products for cart GET /carts/{{cartId}}/up-selling-products
Vouchers: Add a code to cart POST /carts/{{cartId}}/vouchers
Vouchers: Delete code from cart DELETE /carts/{{cartId}}/vouchers/{{voucherCode}}
Wishlist items: Add item to wishlist POST /wishlists/{{wishlistId}}/wishlist-items
Wishlist items: Remove item from wishlist DELETE ​/wishlists​/{{wishlistId}}​/wishlist-items​/{{wishlistItemId}}
Wishlists: Retrieve wishlist data by id GET /wishlists/{{wishlistld}}
Wishlists: Update customer wishlist PATCH /wishlists/{{wishlistld}}
Wishlists: Remove customer wishlist DELETE /wishlists/{{wishlistld}}
Wishlists: Retrieve all customer wishlists GET /wishlists
Wishlists: Create wishlist POST /wishlists

Accessing protected resources

To access a protected resource, pass the access token in the Authorization header of your request. Example:

GET /carts HTTP/1.1
Content-Type: application/json
Authorization: Bearer eyJ0...
Cache-Control: no-cache

If authorization is successful, the API performs the requested operation. If authorization fails, the 401 Unathorized error is returned. The response contains an error code explaining the cause of the error.

Response sample with an error:

    "errors": [
            "detail": "Invalid access token.",
            "status": 401,
            "code": "001"

User types

Different endpoints require the client to be authenticated as different users. By default, you can:

Next steps

Retrieve protected resources