In order to obtain an Access Token a Client application must authenticate with the Authorization Server, using its client credentials.

The Client application credentials are obtained by creating an OAuth application, within an Organization Account.

OAuth Applications

Two types of OAuth applications can be created before being able to request tokens, in order to access protected resources:

  1. Storefront Application: used to access the Storefront API
  2. Admin Application: used to access the Admin API

Client Types

In line with OAuth 2.0, a Client application can either be Public or Confidential based on its ability to authenticate securely with the authorization server i.e. the ability to maintain the confidentiality of its client credentials.

  1. Confidential clients are those capable of maintaining the confidentiality of their credentials such as server apps. Confidential applications are issued both the Client ID and Client Secret to be used for authentication.
  2. Public clients are those incapable of maintaining the confidentiality of their credentials such as browser-based or native apps. Public applications are issued only the Client ID to be used for authentication.

Depending on the use case, the Appibase user creates the relevant OAuth application. For instance, a storefront application is typically expected to be a Single Page Application (SPA), running on the browser, therefore a Public (or non-confidential) Storefront Application is the appropriate choice.

The Authorization Grant Type chosen to request an Access Token is also a determining factor in choosing which OAuth application to create.

Callback URLs

When creating an OAuth client application, in addition to setting the application to be an Admin or Storefront app, as well as setting it to be Confidential or Public, the user can also optionally add Callback URLs (or redirection URIs), which allow the Authorization Server to direct the End-User, via the User-Agent, back to the Client.

The Callback URL is the one within your frontend app that will receive the OAuth 2.0 credentials, namely the Authorization Code, as part of the Authorization Code flow only.