Glue API authentication and authorization
Edit on GitHubThis is a document related to the Old Glue infrastructure. For the new one, see Decoupled Glue API
Protected resources in Spryker Glue API require user authentication. For the authentication, Spryker implements the OAuth 2.0 mechanism. On the REST API level, it is represented by the Login API.
To get access to a protected resource, a user obtains an access token. An access token is a JSON Web Token used to identify a user during API calls. Then, they pass the token in the request header.
For security purposes, access tokens have a limited lifetime. When retrieving an access token, the response body also contains the token’s lifetime, in seconds. When the lifetime expires, the token can no longer be used for authentication.
There is also a refresh token in the response. When your access token expires, you can exchange the refresh token for a new access token. The new access token also has a limited lifetime and a new refresh token.
The default lifetime of the access tokens is 8 hours (28800 seconds) and 1 month (2628000 seconds) of the refresh tokens.
For security purposes, when you finish sending requests as a user, or if a token gets compromised, we recommend revoking the refresh token. Revoked tokens are marked as expired on the date and time of the request and can no longer be exchanged for access tokens.
Expired tokens are stored in the database, and you can configure them to be deleted.
Protected resources
Below, you can find a list of the default protected resources. As Glue API is highly customizable, a shop is likely to have its own list of protected resources. To avoid extra calls, we recommend retrieving protected resources of the shop before you start working with the API or setting up a flow.
| ACTION | METHOD | ENDPOINTS |
|---|---|---|
| Customer: Retrieve a customer | GET | /customers/{{customer_reference}} |
| Customers: Update customer address | PATCH | /customers/{{customer_id}}/addresses/{{address_id}} |
| Customers: Delete customer address | DELETE | /customers/{{customer_id}}/addresses/{addressId} |
| Customers: Retrieve list of all customer addresses | GET | /customers/{{customer_id}}/addresses |
| Customers: Create customer address | POST | /customers/{{customer_id}}/addresses |
| Customers: Retrieve customer data | GET | /customers/{{customerId}} |
| Customers: Update customer data | PATCH | /customers/{{customerId}} |
| Customers: Anonymize customers | DELETE | /customers/{{customerId}} |
| Customer password: Update customer password | PATCH | /customer-password/{{customerPasswordId}} |
| Cart codes: Add code to cart. | GET | /carts/{{cartId}}/cart-codes |
| Cart codes: Delete code from cart | DELETE | /carts/{{cartId}}/cart-codes/{code} |
| Carts: Retrieve cart by id | GET | /carts/{{cartId}} |
| Carts: Update a cart | PATCH | /carts/{{cartId}} |
| Carts: Delete cart by id | DELETE | /carts/{{cartId}} |
| Carts: Retrieve list of all customer’s carts | GET | /carts |
| Carts: Create cart | POST | /carts |
| Items: Add item to cart | POST | /carts/{{cartId}}/items |
| Items: Update cart item quantity | PATCH | /carts/{{cartId}}/items/{{itemId}} |
| Items: Remove item from cart | DELETE | /carts/{{cartId}}/items/{{itemId}} |
| Companies: Retrieve company by id | GET | /companies/{{companyId}} |
| Companies: Retrieve company collection | GET | /companies |
| Company business unit addresses: Retrieve company business unit address by id | GET | /company-business-unit-addresses/{{companyBusinessUnitAddressId}} |
| Company business unit addresses: Retrieve company business unit addresses collection | GET | /company-business-unit-addresses |
| Company roles: Retrieve company role by id | GET | /company-roles/{{companyRoleId}} |
| Company roles: Retrieve company role collection | GET | /company-roles |
| Company user access token: Create access token for company user | POST | /company-user-access-tokens |
| Company users: Retrieve company user by id | GET | /company-users/{{companyUserId}} |
| Company users: Retrieve list of company users | GET | /company-users |
| Orders: Retrieve order by id | GET | /orders/{{orderId}} |
| Orders: Retrieve list of orders | GET | /orders |
| Product reviews: Create product review | POST | /abstract-products/{{abstractProductId}}/product-reviews |
| Refresh tokens: Revoke customer’s refresh token | DELETE | /refresh-tokens/{{refreshTokenId}} |
| Returns: Retrieve return by id | GET | /returns/{{returnld}} |
| Returns: Retrieve list of returns | GET | /returns |
| Returns: Create return | POST | /returns |
| Shared-carts: Share cart | POST | /carts/{{cartld}}/shared-carts |
| Shared-carts: Update permission group for shared cart | PATCH | /shared-carts/{{sharedCartId}} |
| Shared-carts: Delete cart sharing | DELETE | /shared-carts/{{sharedCartId}} |
| Shopping list items: Add shopping list item | POST | /shopping-lists/{{shoppingListId}}/shopping-list-items |
| Shopping list items: Update shopping list item | PATCH | /shopping-lists/{{shoppingListId}}/shopping-list-items |
| Shopping list items: Delete shopping list item | DELETE | /shopping-lists/{{shoppingListId}}/shopping-list-items |
| Shopping lists: Retrieve shopping list by id | GET | /shopping-lists/{{shoppingListId}} |
| Shopping lists: Update shopping list by id | PATCH | /shopping-lists/{{shoppingListId}} |
| Shopping lists: Delete shopping list by id | DELETE | /shopping-lists/{{shoppingListId}} |
| Shopping lists: Retrieve list of all customer’s shopping lists | GET | /shopping-lists |
| Shopping lists: Create shopping list | POST | /shopping-lists |
| Up-selling products: Retrieve list of all up-selling products for cart | GET | /carts/{{cartId}}/up-selling-products |
| Vouchers: Add a code to cart | POST | /carts/{{cartId}}/vouchers |
| Vouchers: Delete code from cart | DELETE | /carts/{{cartId}}/vouchers/{{voucherCode}} |
| Wishlist items: Add item to wishlist | POST | /wishlists/{{wishlistId}}/wishlist-items |
| Wishlist items: Remove item from wishlist | DELETE | /wishlists/{{wishlistId}}/wishlist-items/{{wishlistItemId}} |
| Wishlists: Retrieve wishlist data by id | GET | /wishlists/{{wishlistld}} |
| Wishlists: Update customer wishlist | PATCH | /wishlists/{{wishlistld}} |
| Wishlists: Remove customer wishlist | DELETE | /wishlists/{{wishlistld}} |
| Wishlists: Retrieve all customer wishlists | GET | /wishlists |
| Wishlists: Create wishlist | POST | /wishlists |
Accessing protected resources
To access a protected resource, pass the access token in the Authorization header of your request. Example:
GET /carts HTTP/1.1
Host: mysprykershop.com:10001
Content-Type: application/json
Authorization: Bearer eyJ0...
Cache-Control: no-cache
If authorization is successful, the API performs the requested operation. If authorization fails, the 401 Unathorized error is returned. The response contains an error code explaining the cause of the error.
Response sample with an error:
{
"errors": [
{
"detail": "Invalid access token.",
"status": 401,
"code": "001"
}
]
}
User types
Different endpoints require the client to be authenticated as different users. By default, you can:
Next steps
Thank you!
For submitting the form