You are browsing upcoming documentation for version 6.0 of OroCommerce, OroCRM, and OroPlatform, scheduled for release in 2024. Read version 5.1 (the latest LTS version) of the Oro documentation to get up-to-date information.
See our Release Process documentation for more information on the currently supported and upcoming releases.
Client Credentials Grant Type: Generate Token¶
To configure the authentication via the client credentials grant type and retrieve the access token:
Provide your Request URL.
The Request URL consists of your application URL and the /oauth2-token slug, e.g.,
Specify the content-type in headers:
Send a POST request with the following body parameters to the authorization server:
grant_type with the value
client_id with the client’s ID
client_secret with the client’s secret ID
Receive response from the authorization server with a JSON object containing the following properties:
token_type with the value
expires_in = 3600 seconds. Once the token is generated, it is valid for an hour and can be used multiple times within this time limit to request the necessary data. Expiration time can by configured in config/config.yml of your application.
access_token a JSON web token signed with the authorization server’s private key
Use the generated access token to make requests to the API.
POST /oauth2-token HTTP/1.1
"client_id": "your client identifier",
"client_secret": "your client secret"
"access_token": "your access token"
The received access token can be used multiple times until it expires. A new token should be requested once the previous token expires.
An example of an API request:
GET /api/users HTTP/1.1
Authorization: Bearer your access token
Access tokens for back-office and storefront API are not interchangeable. If you attempt to request data for the storefront API with a token generated for the back-office application, access will be denied.
What is B2B eCommerce and how does it differ from B2C? Read our guide to find out.