OAuth 2.0

All resource API queries, be it to the Storefront API or Admin API, require a valid access token. The role of the OAuth API is to retrieve tokens that will provide access to the protected resources.

The Authorization Framework

Appibase uses the OAuth 2.0 Authorization Framework (OAuth 2.0), an open specification, to authorize access to protected resources.

Consistent with the Framework, the following roles are defined:

  1. Authorization Server: the server issuing Access Tokens to the Client application after successfully authenticating the Resource Owner and obtaining authorization. This is the OAuth API.
  2. Resource Server: the server hosting the protected resources, accepting and responding to protected resource requests using Access Tokens. This would be the API you want to access, namely the Storefront API or Admin API.
  3. Resource Owner: the entity granting access to a protected resource. This can be an End-User or a Client application.
  4. End-User: when the Resource Owner is a person, it is referred to as an end-user. This would be represented by Appibase’s user i.e. the User model, or the Storefront’s user i.e. the Customer model.
  5. Client: the application making protected resource requests on behalf of an End-User or on its own behalf.
  6. User-Agent: the agent used by the End-User to interact with the Client e.g. a browser or a native application.


Server API
Authorization Server OAuth API
Resource Server Storefront API
Admin API

Resource Owners

API Resource Owner Type
Storefront API Customer End-User
Storefront Application Client
Admin API User End-User
Admin Application Client