How to authenticate

Israel Sotomayor profile picture Written by: Israel Sotomayor - Published on: 19 Jan 2016
Moltin supports many different types of authentication. This post will explain what these are, how they can be used and the differences between them.

Assumptions

This post assumed you already have a Moltin account and have your Client ID and on Client Secret on hand.

Introduction

We’ll call the different types of authentication that Moltin supports, grant types following oauth2. Depending on what you’d like to achieve, there are different grant types to use.

access_token is another important term we use in this post. You will receive this once you’re authenticated against the API to allow you to start requesting data.

Note: Bear in mind that each access_token will be valid for an hour, after that you will need to re-authenticate.

Grant types

There are four grant types offered by Moltin for authentication:

  • Client credentials
  • Password
  • Implicit
  • Refresh token

For security reasons, you will find that some grant types will not let you access some API features, we call these restrictions scopes.

Client credentials

These are the most common and secure way to get an access token. Client credentials give you total control over what you can do with your store, as it gives you access to all the scopes offered by the API. For this reason, it is important that you keep your client secret safe and do not share it with client-side code or another person.

Required parameters

  grant_type = client_credentials
client_id = YOUR_CLIENT_ID
client_secret = YOUR_CLIENT_SECRET

Read scopes

  products, categories, customers, cart, currencies, brands, collections, shipping, flows, orders, taxes, 
settings, statistics, checkout, promotions, files, addresses, gateways, emails, webhooks, transactions, 
accounts, admin, easter-eggs, languages, cache, customer-tokens

Write scopes

  products, categories, customers, cart, currencies, brands, collections, shipping, flows, orders, taxes, 
settings, statistics, checkout, promotions, files, addresses, gateways, emails, webhooks, transactions, 
accounts, admin, easter-eggs, languages, cache, customer-tokens

Password

Password is used for requesting access to a store through a username and password.

Required parameters

  grant_type = password
username = YOUR_USER_NAME
password = YOUR_PASSWORD

Read scopes

  products, categories, customers, cart, currencies, brands, collections, shipping, flows, orders, taxes, 
settings, statistics, checkout, promotions, files, addresses, gateways, emails, webhooks, transactions, 
accounts, easter-eggs, languages, cache customer-tokens

Write scopes

  products, categories, customers, cart, currencies, brands, collections, shipping, flows, orders, taxes, 
settings, statistics, checkout, promotions, files, addresses, gateways, emails, webhooks, transactions, 
accounts, easter-eggs, languages, cache, customer-tokens

Implicit

Client side applications like Javascript websites, iOS, and Android applications etc… generally expose client keys to end users. Because of that, we use the implicit scope to limit what actions can be performed on the API in a bid to limit any malicious activity (i.e. deleting products, editing orders and so on). We advise any operations to the API that expose client keys to use implicit.

Required parameters

  products, categories, currencies, cart, checkout, brands, collections, shipping, flows, settings, 
statistics, taxes, files, addresses, easter-eggs, customer-tokens

Write scopes

  cart, checkout, easter-eggs, customer-tokens

Refresh token

When authenticating using the password grant_type you will be provided with a refresh_token. You can use refresh as a grant_type to request a new token when the access_token obtained by the password grant_type expires. This will increase security when using this kind of authentication and means you don’t have to authenticate using the password.

Notice: You will only receive a refresh_token when authenticating with a password grant type.

Required parameters

  grant_type = refresh_token
refresh_token = YOUR_REFRESH_TOKEN

Read scopes

  products, categories, customers, cart, currencies, brands, collections, shipping, flows, orders, taxes, 
settings, statistics, checkout, promotions, files, addresses, gateways, emails, webhooks, transactions, 
accounts, easter-eggs, languages, cache, customer-tokens

Write scopes

  products, categories, customers, cart, currencies, brands, collections, shipping, flows, orders, taxes, 
settings, statistics, checkout, promotions, files, addresses, gateways, emails, webhooks, transactions, 
accounts, easter-eggs, languages, cache, customer-tokens

Curl examples

Client credentials

An example cURL request to get an access_token needed to request data from the API.

  curl --data 'grant_type=password&username=YOUR_USERNAME&password=YOUR_PASSWORD' https://api.molt.in/oauth/access_token

Implicit

An example cURL request to get an access_token needed to request data from the API.

  cURL --data 'grant_type=implicit&client_id=YOUR_CLIENT_ID' https://api.molt.in/oauth/access_token

Refresh token

An example cURL request to get an access_token needed to request data from the API.

  curl --data 'grant_type=refresh_token&refresh_token=YOUR_REFRESH_TOKEN' https://api.molt.in/oauth/access_token

After any of these methods to authenticate you should now be able to call other API endpoints using youraccess token. For example, you can access the products endpoint like this:

  curl -X GET https://api.molt.in/v1/products -H "Authorization: Bearer YOUR_ACCESS_TOKEN"

Build something amazing with Moltin