Abowire uses OAuth2 and OpenID Connect (OIDC) to authenticate third applications. OAuth2 is a secure and standard way to grant third party applications access to Abowire resources.
To access any of our API's resources you'll need an Access Token. You can request one using one of the authentication flows below. Access Tokens are scoped to the resources your credentials are authorized to access.

The OAuth flow

We highly recommend using a library to handle the OAuth2 authentication process and avoid custom implementations. You can find a list of client libraries here.
The OAuth 2.0 Client sends its credentials using HTTP Basic Authorization (over HTTPS).

Frontend applications

For frontend flows use the OAuth Authorization Code flow, which only requires your Client ID.
Use the following flow to ask an Abowire user for consent to grant access to the required resources. This is the flow used by the Checkout and Customer Portal SDK.
If you want to authenticate fully in the frontend, we recommend the OIDC client:
GitHub - IdentityModel/oidc-client-js: OpenID Connect (OIDC) and OAuth2 protocol support for browser-based JavaScript applications
The flow works as follows:
    Start the flow by creating an Authorization URL with your Client ID and a callback URL
    Redirect the user to this Authorization URL. The user will have to login and grant your application access Abowire.
    After a successful grant, the user will be redirected to the callback URL you specified with an Authentication Code.
    Exchange the Authentication Code for a Request Token
    Exchange the Request token for an Access Token

Backend applications

For a backend-to-backend communication use the Client Credentials Flow. This flow is simpler and requires your Client ID and Secret Key. Never expose your Secret Key.
    Use your credentials to request a Request Token
    Exchange the Request Token for an Access Token
Note: These API Keys generate Access Tokens that are not associated to any user, which is why you won't be able to use the /user/me endpoints. Nevertheless, since they have admin permissions, you can fetch any user within your account.



Is required
Request an OpenID Connect ID Token
Request access to the OpenID profile
Not required
A scope required when requesting refresh tokens
Not required
Last modified 10mo ago