All requests to Commerce API need to be authenticated. At a high level, this flow has the following steps:

  1. The merchants' application makes an authorization request to the Authorization Server using its client credentials.

  2. If the credentials are accurate, the server responds with an access token.

  3. The merchants' application uses the access token to make authorized requests to the resource server.

  4. CommerceAPI validates the token before responding to the request.

Request for token

Your Client ID and Client Secret are the master keys to your account. Keep them safe and do not share them outside of your organization. You can obtain your Client ID and Client Secret from your implementation manager.

Base64 encode the client ID and secret and then pass through Basic Authentication in the request to the Authorization Server's /token endpoint:

curl --request POST \
  --url \
  --header 'accept: application/json' \
  --header 'authorization: Basic MG9hY...' \
  --header 'cache-control: no-cache' \
  --header 'content-type: application/x-www-form-urlencoded' \
  --data 'grant_type=client_credentials&scope=app.commerceapi'


Note: The client ID and secret aren't included in the POST body, but rather are placed in the HTTP Authorization header following the rules of HTTP Basic Auth.

Note the parameters that are being passed:

  • grant_type is client_credentials, indicating that we are using the Client Credentials grant type.
  • scope must be set to app.commerceapi.

If the credentials are valid, the application receives an access token:

    "access_token": "eyJhbG[...]1LQ",
    "token_type": "Bearer",
    "expires_in": 3600,
    "scope": "app.commerceapi"

Using a token

After requesting a bearer token, you can use it to communicate with CommerceAPI. Each token will expire after 3600 seconds ( 60 minutes ). Progressive recommends that merchants cache this token and build a retry mechanism into their application to handle requesting a new token when needed.

Send the token in the Authorization header when making requests to CommerceAPI:

curl --request GET \
  --url \
  --header 'accept: application/json' \
  --header 'authorization: Bearer eyJhbG[...]1LQ' \
  --header 'cache-control: no-cache'