Authentication and authorization

Edit on GitHub
You are browsing a previous version of the document. The latest version is 202204.0.

Protected resources in Spryker Glue API require user authentication. For the authentication, Spryker implements the OAuth 2.0 mechanism. On the REST API level, it is represented by the Login API.

To get access to a protected resource, a user obtains an access token. An access token is a JSON Web Token used to identify a user during API calls. Then, they pass the token in the request header.


For security purposes, access tokens have a limited lifetime. When retrieiving an access token, the response body also contains the token’s lifetime, in seconds. When the lifetime expires, the token can no longer be used for authentication.

There is also a refresh token in the response. When your access token expires, you can exchange the refresh token for a new access token. The new access token also has a limited lifetime and a new refresh token.

The default lifetime of the access tokens is 8 hours (28800 seconds) and 1 month (2628000 seconds) of the refresh tokens.

For security purposes, when you finish sending requests as a user, or if a token gets compromised, we recommend revoking the refresh token. Revoked tokens are marked as expired on the date and time of the request and can no longer be exchanged for access tokens.

Expired tokens are stored in the database, and you can configure them to be deleted. For details, see Deleting expired refresh tokens.

Protected resources

Below, you can find a list of the default protected resources. As Glue API is highly customizable, a shop is likely to have its own list of protected resources. To avoid extra calls, we recommend retrieving protected resources of the shop before you start working with the API or setting up a flow.

Action Method Endpoints
Customer - Retrieve a customer GET /customers/{{customer_reference}}
Customer - Update information PATCH /customers/{{customer_reference}}
Customer - Change password PATCH /customers/{{customer_reference}}
Customer - Delete DELETE /customers/{{customer_reference}}
Customer - Create a new address POST /customers/{{customer_reference}}/addresses
Customer - Update an existing address PATCH /customers/{{customer_reference}}/addresses/{{customer_address_uuid}}
Customer - Delete an address DELETE /customers/{{customer_reference}}/addresses/{{customer_address_uuid}}
Customer - Retrieve orders GET /orders
Customer - Retrieve an order GET /orders/{{order_id}}
Cart - Create a new cart POST /carts
Cart - Retrieve carts GET /carts
Cart - Retrieve a cart GET /carts/{{cart_uuid}}
Cart - Add an item to a cart POST /carts/{{cart_uuid}}/items
Cart - Update item quantity PATCH /carts/{{cart_uuid}}/items/{{concrete_sku}}
Cart - Remove a cart DELETE /carts/{{url}}/carts/{{cart_uuid}}
Cart - Remove items from a cart DELETE /carts/{{cart_uuid}}/items/{{concrete_id}}
Wishlist - Add an item to a wishlist POST /wishlists/{{wishlist_uuid}}/wishlist-items
Wishlist - Create a wishlist POST /wishlists
Wishlist - Delete a wishlist DELETE /wishlists/{{wishlist_uuid}}
Wishlist - Delete an item from a wishlist DELETE /wishlists/{{wishlist_id}}/wishlist-items/{{concrete_sku}}
Wishlist - Retrieve wishlists GET /wishlists
Wishlist - Retrieve a wishlist GET /wishlists/{{wishlist_uuid}}
Wishlist - Rename a wishlist PATCH /wishlists/{{wishlist_uuid}}
Agent - search by customers GET agent-customer-search
Agent - impersonate a customer POST /agent-customer-impersonation-access-tokens

Accessing protected resources

To access a protected resource, pass the access token in the Authorization header of your request. Example:

GET /carts HTTP/1.1
Content-Type: application/json
Authorization: Bearer eyJ0...
Cache-Control: no-cache

If authorization is successful, the API performs the requested operation. If authorization fails, the 401 Unathorized error is returned. The response contains an error code explaining the cause of the error.

Response sample with an error:

    "errors": [
            "detail": "Invalid access token.",
            "status": 401,
            "code": "001"

User types

Different endpoints require the client to be authenticated as different users. By default, you can:

Next steps