Use the application key for authentication

When you register an application, Oracle Commerce Cloud automatically generates a JSON Web Token called an application key. You send the application key in the authorization header of a POST request, and Oracle Commerce Cloud responds with an access token that the application must supply in subsequent requests.

Note: Application keys should be stored securely and all requests that include them must be sent via HTTPS.

Send the authorization header in a POST request to the appropriate login endpoint. The Content-Type header value must be set to application/x-www-form-urlencoded, and the body of the request must include the grant type client_credentials. For example:

POST /ccadmin/v1/login HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Authorization: Bearer <application_key>

grant_type=client_credentials

The following example shows the server’s JSON response, which includes the access token:

{
"access_token": "<access_token>",
"token_type": "bearer"
}

Now whenever the application needs to access a secured endpoint, it must issue a request with an authorization header that contains the access token. The following example shows an authorization header for a request that returns orders:

GET /ccadmin/v1/orders HTTP/1.1
Authorization: Bearer <access_token>

Copyright © 1997, 2017 Oracle and/or its affiliates. All rights reserved. Legal Notices