Roles and permissions

Commerce Layer supports a granular access control system on a resource level. Each access token gets a specific set of permissions. The client and the authorization flow determine your permitted actions for each resource.

Channel

Channel applications support Client Credentials, Password and Refresh Token grant types. If public access is enabled, they can authenticate without the client_secret. In such cases, the access tokens that they get have limited permissions on sensitive data.

Client Credentials

Channel applications that authenticate through Client Credentials get the following permissions. The green icons show the ones that are granted with public access enabled.

Create Read Update Delete Restrictions
Skus Skus with stock items in the market' stock locations and a price in the market's price list.
Prices Prices associated to the market's price list.
Stock Items Stock items associated to the market' stock locations.
Delivery Lead Times Delivery lead times associated to the market' stock locations.
Orders Orders associated to the market scope. Can be read if "draft", "pending" or "placed" and updated if "draft" or "pending". Order lists are limited to one result.
Line Items Line items belonging to "draft" or "pending" orders, in the market scope.
Addresses
Shipping Mehtods Shipping methods associated to the market scope.
Shipments Shipments associated to "draft" or "pending" orders, in the market scope.
Payment Mehtods Payment methods associated to the market scope.
Credit Cards Credit cards associated to "draft" or "pending" orders, in the market scope.
Paypal Payments Paypal payments associated to "draft" or "pending" orders, in the market scope.
Customers
Customer Subscriptions
Customer Password Resets
Password

Channel applications can authenticate a customer through the Password flow. The access tokens that they get include the sum of the client permissions plus the ones below.

Create Read Update Delete Restrictions
Customers The customer must be the authenticated resource owner.
Customer Addresses The customer must be the authenticated resource owner.
Customer Subscriptions The customer must be the authenticated resource owner.
Parcels The parcels must belong to one of the customer's orders.
Refresh Token

An access token obtained through a refresh token inherit the same set of permissions of the one that expired.

Other application types

Integration, Zapier, and Webapp application types have more straightforward authorization rules, as described below:

  • Integration applications support the Client Credentials grant type. The access tokens that they get include the set of permissions of their role.
  • Zapier applications get the right amount of permissions that are required by our official Zapier app.
  • Webapp applications support Authorization Code and Refresh Token grant types. They don't bring any grants to the access tokens, and get the set of permissions of to the authenticated user's role. Access tokens obtained through a refresh token inherit the same set of permissions of the one that expired.

Get our machine-readable JSON schema that follows the OpenAPI Specification (formerly Swagger).

Get our Postman collection in one click and start making real calls to Commerce Layer API in minutes.

Get in touch with our support team if you have any questions or want to learn more about Commerce Layer.