Authorization refers to the process of verifying what resources can be accessed by users or applications, and what actions they can perform i.e. access rights.

Appibase uses OAuth 2.0 for client applications to get authorized and given an Access Token to access protected resources. OAuth 2.0 supports several different authorization grants (or flows) for retrieving Access Tokens.

In line with the OAuth 2.0 Security Best Current Practice, Appibase supports the following authorization grant flows:

  1. Authorization Code flow with
  2. Client Credentials flow

Be it accessing the Admin API or the Storefront API, the Authorization Code flow with PKCE support and the Refresh Token grant type are used when the Resource Owner is an end-user i.e. the User model for the Admin API or the Customer model for the Storefront API. On the other hand, the Client Credentials grant type is used when the Resource Owner is a Client application.

Supported Grant Types

Resource Owner Grant Type
End-User Authorization Code (with PKCE)
Refresh Token
Client Application Client Credentials