OCAPI Client Authentication and Authorization

Open Commerce API (OCAPI) provides a RESTful interface that OCAPI clients consume (custom code). So, what about client authentication and authorization for OCAPI?

OCAPI Client Authentication

For authentication, an Account Manager administrator provisions a new client in the Account Manager with client credentials. Unlike with user authentication, you can provision OCAPI clients only in Account Manager, which enables them to authenticate against any Business Manager instance in the organization.

OCAPI Client Authorization

Unlike with global authentication, you specify an OCAPI client's authorization rules in a local Business Manager instance. That instance can have unique authorization rules. If you want the same authorization rules on multiple instances, you manually provision this or, more likely, export from the first instance and import to the second instance. As with user authorization, when you create a client in Account Manager, that client isn’t given any permissions. When they authenticate, they can’t access any OCAPI endpoints. This follows the best practice of deny-by-default.

Unlike with user authorization, OCAPI authorization is not role-based. Instead, you configure it as a set of authorization rules and configure it separately for the OCAPI Shop API and for the OCAPI Data API. You can specify the rules for a particular site or for all sites on the instance. Follow the principle of least privilege by creating several clients, with each client given only the authorization rules they need for their job.

X Privacy Update: We use cookies to make interactions with our websites and services easy and meaningful, to better understand how they are used. By continuing to use this site you are giving us your consent to do this. Privacy Policy.