Oracle Commerce Cloud Service uses OAuth 2.0 with Bearer Tokens to authenticate third-party applications. When you register an application, the service automatically generates a JSON Web Token called an application key. You send the application key in a POST request and Oracle Commerce Cloud Service responds with an access token that the application uses in all future requests.
After you register an application, you must copy its application key so you can include it in the application’s authentication header.
Note: Application keys should be stored securely and all requests that include them must be sent via HTTPS.
Send the authentication header in a POST request to the endpoint /ccadmin/v1/login
. The header must include the grant type client_credentials
.
The following example shows an authentication header and request body that includes an application key for a registered application that will access the Admin API:
POST /ccadmin/v1/login HTTP/1.1 Host: server.example.com Content-Type: application/x-www-form-urlencoded Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE0MTI3MTA3NDEsInN1YiI6Iml1c2VyNDAwMTgiLCJpc3MiOiJhZG1pblVJIiwiY29tLm9yYWNsZS5hdGcuY2xvdWQuY29tbWVyY2Uucm9sZXMiOlsiY29tbWVyY2VVc2VyUm9sZSJdLCJpYXQiOjE0MTI2MjQzNDB9.WBkoiWVNu6hNx9x8mxh7V65wBNYdKOjBfWA7OGfvhxs= grant_type=client_credentials
The following example shows the server’s JSON response, which includes the access token:
{ "access_token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE0MTI3MTA3NDEsInN1YiI6Iml1c2VyNDAwMTgiLCJpc3MiOiJhZG1pblVJIiwiY29tLm9yYWNsZS5hdGcuY2xvdWQuY29tbWVyY2Uucm9sZXMiOlsiY29tbWVyY2VVc2VyUm9sZSJdLCJpYXQiOjE0MTI2MjQzNDB9.WBkoiWVNu6hNx9x8mxh7V65wBNYdKOjBfWA7OGfvhxs=", "token_type":"bearer" }
Now whenever the application needs to access a secured endpoint, it issues a request with an authorization header that contains the access token. The following example shows an authentication header for a request that returns Orders.
GET /ccadmin/v1/orders HTTP/1.1 Host: server.example.com Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE0MTI3MTA3NDEsInN1YiI6Iml1c2VyNDAwMTgiLCJpc3MiOiJhZG1pblVJIiwiY29tLm9yYWNsZS5hdGcuY2xvdWQuY29tbWVyY2Uucm9sZXMiOlsiY29tbWVyY2VVc2VyUm9sZSJdLCJpYXQiOjE0MTI2MjQzNDB9.WBkoiWVNu6hNx9x8mxh7V65wBNYdKOjBfWA7OGfvhxs=
Refresh the access token
The access token you exchange for the application key is a short-lived token. To obtain a token that has a longer lifespan, issue a POST request to the endpoint /ccadmin/v1/refresh
. Include the current valid access token in the authorization header, just as you would for any other authenticated request. Oracle Commerce Cloud Service generates and returns a new token with an extended lifespan.
The following example is an authorization header that refreshes an access token for the Admin API:
POST /ccadmin/v1/refresh HTTP/1.1 Host: server.example.com Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE0MTI3MTA3NDEsInN1YiI6Iml1c2VyNDAwMTgiLCJpc3MiOiJhZG1pblVJIiwiY29tLm9yYWNsZS5hdGcuY2xvdWQuY29tbWVyY2Uucm9sZXMiOlsiY29tbWVyY2VVc2VyUm9sZSJdLCJpYXQiOjE0MTI2MjQzNDB9.WBkoiWVNu6hNx9x8mxh7V65wBNYdKOjBfWA7OGfvhxs=
The following example shows the server’s response, which includes the new, extended-lifetime token:
{ "access_token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE0MTI3MTA3NDEsInN1YiI6Iml1c2VyNDAwMTgiLCJpc3MiOiJhZG1pblVJIiwiY29tLm9yYWNsZS5hdGcuY2xvdWQuY29tbWVyY2Uucm9sZXMiOlsiY29tbWVyY2VVc2VyUm9sZSJdLCJpYXQiOjE0MTI2MjQzNDB9.WBkoiWVNu6hNx9x8mxh7V65wBNYdKOjBfWA7OGfvhxs=", "token_type":"bearer" }