Improve security and user management with our Authentication API.

We take authentication very seriously at Commerce Layer. Security is the keystone that makes our platform trustworthy, especially when sensitive business and customer data is stored within our merchants’ organizations. Part of a solid authentication mechanism is also building scalable and intuitive tools that make it easy to implement and manage user access.

We’ve addressed part of that with our Provisioning API release, and now, we’re happy to announce our new Authentication API. This API makes it easy for Commerce Layer admins to create user accounts, login users and grant them access via JSON Web Tokens (JWTs), and revoke JWTs whenever necessary.

The Authentication API in a nutshell

The main benefit of our new Authentication API is that it can programmatically grant and revoke access at the user level. The API generates JWTs for users, which can be done by sending a simple POST request to the https:/auth.commercelayer.io/oauth/token endpoint. Our Provisioning API uses this new authentication mechanism to create user roles and manage resource access across organizations, but you can also build your own login processes and customize authentication JWTs to fit your own application’s needs.

The updated API introduces a new grant type, "on behalf of" which is exclusively available to our Enterprise users. This new grant type allows for the generation of JWTs for users to access downstream data. This improvement eliminates the need to distribute an organization's secret key for signing the JWT token. Instead, you'll require an app equipped with a client ID and secret to obtain a valid token. This token can then be enhanced with your customer ID. Additionally, it's possible to include custom claims within the token as necessary.