Authorization refers to the process of verifying what resources can be accessed by users or applications, and what actions they can perform i.e. access rights.
Appibase uses OAuth 2.0 for client applications to get authorized and given an Access Token to access protected resources. OAuth 2.0 supports several different authorization grants (or flows) for retrieving Access Tokens.
In line with the OAuth 2.0 Security Best Current Practice, Appibase supports the following authorization grant flows:
Be it accessing the Admin API or the Storefront API, the Authorization Code flow with PKCE support and the Refresh Token grant type are used when the Resource Owner is an end-user i.e. the User model for the Admin API or the Customer model for the Storefront API. On the other hand, the Client Credentials grant type is used when the Resource Owner is a Client application.
|Resource Owner||Grant Type|
|End-User||Authorization Code (with PKCE)|
|Client Application||Client Credentials|