Authentication

Authentication
Addresses
Adjustments
Classifications
CMS Pages
CMS Sections
Countries
Data Feeds
Digital Links
Digital Assets
Line Items
Menu Items
Menus
Option Types
Option Values
Orders
Payment Methods
Payments
Products
Promotion Actions
Promotion Categories
Promotion Rules
Promotions
Roles
Shipments
Shipping Categories
Shipping Methods
States
Stock Items
Stock Locations
Store Credit Categories
Store Credit Types
Store Credits
Tax Categories
Tax Rates
Taxonomies
Taxons
Users
Variants
Webhook Events
Webhook Subscribers
Wished Items
Wishlists
Zones

On this page

For guest users
Using X-Spree-Order-Token header
For signed in users
Generating OAuth token
Refreshing OAuth token

Storefront API requires authorization only for certain actions associated with user account (e.g. updating saved addresses) or manipulating cart and checkout.

For guest users

Using X-Spree-Order-Token header

Cart and Checkout endpoints paths also allow interactions without the bearer token to allow creating and managing guest checkouts. When you first create a cart via:

curl --request POST \
  --url 'https://demo.spreecommerce.org/api/v2/storefront/cart?fields%5Bcart%5D=number%2Ctoken' \
  --header 'Content-Type: application/vnd.api+json'

You’ll receive a response containing an empty cart. This response also contains a data.token attribute.

{
  "data": {
    "id": "114",
    "type": "cart",
    "attributes": {
      "number": "R522550303",
      "token": "NswjLVjZOw4OpEm1yWqlJg1713367317414"
    },
    "relationships": {}
  }
}

You can store this token in the frontend session (eg. Session Storage or a cookie) and pass it in a X-Spree-Order-Token: {token} header.

For signed in users

For users who have an account in your store, you will need to generate oAuth tokens to authenticate requests to endpoints such as Account, Cart and Checkout.

Generating OAuth token

To obtain a token, execute the following curl command:

curl -X POST http://localhost:3000/spree_oauth/token \
     --header "Content-Type: application/x-www-form-urlencoded" \
     --data "grant_type=password&username=spree@example.com&password=spree123"

You should receive a JSON response with a access_token and a refresh_token, eg.

{
  "access_token": "CmVXoDp6f5Y51s2xFAAdSbdT5wcGZIuGKKr27zAkBvQ",
  "token_type": "Bearer",
  "expires_in": 7200,
  "refresh_token": "g5xPzY51_QYyok-ZcH9f4_btBkT_RZ6pB7ugGRaMjQQ",
  "created_at": 1713367848
}

Refreshing OAuth token

OAuth tokens obtained via the previous step are valid only for a specific time (defined in expires_in attribute). After that period, you can refresh the token by executing the following curl command:

curl -X POST http://localhost:3000/spree_oauth/token \
     --header "Content-Type: application/x-www-form-urlencoded" \
     --data "grant_type=refresh_token&refresh_token=g5xPzY51_QYyok-ZcH9f4_btBkT_RZ6pB7ugGRaMjQQ"

On a success, you’ll receive a new bearer token to use when accessing the API, eg.

{
  "access_token": "JVMcaoCkxV4o2xofhAwf7ReeFEWUM94ZnVSKRITd3TQ",
  "token_type": "Bearer",
  "expires_in": 7200,
  "refresh_token": "nMlyfxfA9U6xfSDnFhoZQzL4IOkDc-EkW1y66ZTf5Oc",
  "created_at": 1713367950
}

Fetching multiple resources Retrieve an Account

API basics

Storefront API

Platform API

For guest users

Using X-Spree-Order-Token header

For signed in users

Generating OAuth token

Refreshing OAuth token

API basics

Storefront API

Platform API

​For guest users

​Using X-Spree-Order-Token header

​For signed in users

​Generating OAuth token

​Refreshing OAuth token

For guest users

Using X-Spree-Order-Token header

For signed in users

Generating OAuth token

Refreshing OAuth token