Separate your product catalog from commerce.


Improve security and user management with our Authentication API.

March 20, 2024 Daniel Oh

We take authentication very seriously at Commerce Layer. Security is the keystone that makes our platform trustworthy, especially when sensitive business and customer data is stored within our merchants’ organizations. Part of a solid authentication mechanism is also building scalable and intuitive tools that make it easy to implement and manage user access.

We’ve addressed part of that with our Provisioning API release, and now, we’re happy to announce our new Authentication API. This API makes it easy for Commerce Layer admins to create user accounts, login users and grant them access via JSON Web Tokens (JWTs), and revoke JWTs whenever necessary.

The Authentication API in a nutshell

The main benefit of our new Authentication API is that it can programmatically grant and revoke access at the user level. The API generates JWTs for users, which can be done by sending a simple POST request to the https:/ endpoint. Our Provisioning API uses this new authentication mechanism to create user roles and manage resource access across organizations, but you can also build your own login processes and customize authentication JWTs to fit your own application’s needs.

The updated API introduces a new grant type, "on behalf of" which is exclusively available to our Enterprise users. This new grant type allows for the generation of JWTs for users to access downstream data. This improvement eliminates the need to distribute an organization's secret key for signing the JWT token. Instead, you'll require an app equipped with a client ID and secret to obtain a valid token. This token can then be enhanced with your customer ID. Additionally, it's possible to include custom claims within the token as necessary.

As part of our migration of our authentication process to the new Authentication API, we will continue to support legacy endpoints and syntax until the end of October 2024. Make sure you update your integration before then to avoid any issues.

Maintaining security while improving experience

The primary purpose of our new Authentication API is to maintain the security of our platform while creating a better developer experience by streamlining the authentication process. By granting JWTs to users directly through the API, users or applications can gain proper access with a simple POST call. This lowers the developmental load of building integrations and applications that need access to Commerce Layer resources.

All in all, we’re confident that our new Authentication API can make developers’ lives easier without compromising any of our platform’s security. As always, we’d love to hear what you think about our new Authentication API. Take a look at our docs and start testing, and if you’d like to give us direct feedback, join the conversation on our Slack channel!

Get a free live demo.

Get a personalized demo and learn more about what Commerce Layer can do for your company.