Skip to main content

Authentication and OAuth 2.0

SitePack uses OAuth 2.0 to securely authorize apps to access merchant data. This ensures that merchants have full control over which apps can access their store and what actions those apps can perform.

Authentication Methods

Depending on your app's architecture, SitePack supports two primary authentication methods:

1. OAuth 2.0 (Authorization Code Grant)

Used for Remote Apps (e.g., iframed apps or background services) that need to act on behalf of a merchant. This flow provides your app with an access_token and a refresh_token.

Flow Overview:

  1. Initiation: The merchant clicks "Install" in the SitePack Marketplace.
  2. Redirection: SitePack redirects the merchant to your app's redirect_uri with an authorization_code.
  3. Token Exchange: Your app exchanges the authorization_code for an access_token by calling the SitePack Token endpoint.
  4. Authorized Requests: Your app uses the access token in the X-SitePack-Access-Token header for all API requests.

2. Signed JWTs

Used for Native Apps or high-privilege system integrations. SitePack can issue signed JSON Web Tokens that allow your app to communicate with the API without a traditional OAuth exchange for every session.

The OAuth Flow in Detail

Step 1: Redirect to your app

When a merchant installs your app, SitePack redirects them to: https://your-app.com/auth/callback?code={authorization_code}&shop={shop_domain}

Step 2: Exchange code for token

Your server must make a POST request to SitePack: POST https://api.sitepack.eu/v2/oauth/token

Payload:

{
"client_id": "YOUR_APP_ID",
"client_secret": "YOUR_APP_SECRET",
"code": "{authorization_code}",
"grant_type": "authorization_code"
}

Step 3: Receive Access Token

SitePack responds with the tokens:

{
"access_token": "at_12345...",
"refresh_token": "rt_67890...",
"expires_in": 3600,
"scope": "content:read media:write"
}

Managing Tokens

  • Access Tokens: These are short-lived. Use the refresh_token to obtain a new access token when it expires.
  • Security: Never store client_secret or refresh_token in client-side code (JS). Always handle these on your secure backend.
  • Revocation: Merchants can revoke your app's access at any time from their SitePack Admin. Your app should gracefully handle 401 Unauthorized errors.

Using the Access Token

Include the token in all REST API requests using the custom X-SitePack-Access-Token header:

GET /v2/products
X-SitePack-Access-Token: YOUR_ACCESS_TOKEN
tip

Always use the X-SitePack-Access-Token header. Standard Authorization: Bearer or Basic Auth headers are not supported for resource access in the SitePack API.

Next Steps