Authentication and authorization
Edit on GitHubProtected resources in Spryker Glue API require user authentication. For the authentication, Spryker implements the OAuth 2.0 mechanism. On the REST API level, it is represented by the Login API.
To get access to a protected resource, a user obtains an access token. An access token is a JSON Web Token used to identify a user during API calls. Then, they pass the token in the request header.
For security purposes, access tokens have a limited lifetime. When retrieiving an access token, the response body also contains the token’s lifetime, in seconds. When the lifetime expires, the token can no longer be used for authentication.
There is also a refresh token in the response. When your access token expires, you can exchange the refresh token for a new access token. The new access token also has a limited lifetime and a new refresh token.
The default lifetime of the access tokens is 8 hours (28800 seconds) and 1 month (2628000 seconds) of the refresh tokens.
For security purposes, when you finish sending requests as a user, or if a token gets compromised, we recommend revoking the refresh token. Revoked tokens are marked as expired on the date and time of the request and can no longer be exchanged for access tokens.
Expired tokens are stored in the database, and you can configure them to be deleted. For details, see Deleting expired refresh tokens.
Protected resources
Below, you can find a list of the default protected resources. As Glue API is highly customizable, a shop is likely to have its own list of protected resources. To avoid extra calls, we recommend retrieving protected resources of the shop before you start working with the API or setting up a flow.
| Action | Method | Endpoints |
|---|---|---|
| Customer - Retrieve a customer | GET | /customers/{{customer_reference}} |
| Customer - Update information | PATCH | /customers/{{customer_reference}} |
| Customer - Change password | PATCH | /customers/{{customer_reference}} |
| Customer - Delete | DELETE | /customers/{{customer_reference}} |
| Customer - Create a new address | POST | /customers/{{customer_reference}}/addresses |
| Customer - Update an existing address | PATCH | /customers/{{customer_reference}}/addresses/{{customer_address_uuid}} |
| Customer - Delete an address | DELETE | /customers/{{customer_reference}}/addresses/{{customer_address_uuid}} |
| Customer - Retrieve orders | GET | /orders |
| Customer - Retrieve an order | GET | /orders/{{order_id}} |
| Cart - Create a new cart | POST | /carts |
| Cart - Retrieve carts | GET | /carts |
| Cart - Retrieve a cart | GET | /carts/{{cart_uuid}} |
| Cart - Add an item to a cart | POST | /carts/{{cart_uuid}}/items |
| Cart - Update item quantity | PATCH | /carts/{{cart_uuid}}/items/{{concrete_sku}} |
| Cart - Remove a cart | DELETE | /carts/{{url}}/carts/{{cart_uuid}} |
| Cart - Remove items from a cart | DELETE | /carts/{{cart_uuid}}/items/{{concrete_id}} |
| Wishlist - Add an item to a wishlist | POST | /wishlists/{{wishlist_uuid}}/wishlist-items |
| Wishlist - Create a wishlist | POST | /wishlists |
| Wishlist - Delete a wishlist | DELETE | /wishlists/{{wishlist_uuid}} |
| Wishlist - Delete an item from a wishlist | DELETE | /wishlists/{{wishlist_id}}/wishlist-items/{{concrete_sku}} |
| Wishlist - Retrieve wishlists | GET | /wishlists |
| Wishlist - Retrieve a wishlist | GET | /wishlists/{{wishlist_uuid}} |
| Wishlist - Rename a wishlist | PATCH | /wishlists/{{wishlist_uuid}} |
| Agent - search by customers | GET | agent-customer-search |
| Agent - impersonate a customer | POST | /agent-customer-impersonation-access-tokens |
Accessing protected resources
To access a protected resource, pass the access token in the Authorization header of your request. Example:
GET /carts HTTP/1.1
Host: mysprykershop.com:10001
Content-Type: application/json
Authorization: Bearer eyJ0...
Cache-Control: no-cache
If authorization is successful, the API performs the requested operation. If authorization fails, the 401 Unathorized error is returned. The response contains an error code explaining the cause of the error.
Response sample with an error:
{
"errors": [
{
"detail": "Invalid access token.",
"status": 401,
"code": "001"
}
]
}
User types
Different endpoints require the client to be authenticated as different users. By default, you can:
Next steps
Thank you!
For submitting the form