Authentication and OAuth 2.0
SitePack uses OAuth 2.0 to securely authorize apps to access merchant data. This ensures that merchants have full control over which apps can access their store and what actions those apps can perform.
Authentication Methods
Depending on your app's architecture, SitePack supports two primary authentication methods:
1. OAuth 2.0 (Authorization Code Grant)
Used for Remote Apps (e.g., iframed apps or background services) that need to act on behalf of a merchant. This flow provides your app with an access_token and a refresh_token.
Flow Overview:
- Initiation: The merchant clicks "Install" in the SitePack Marketplace.
- Redirection: SitePack redirects the merchant to your app's
redirect_uriwith anauthorization_code. - Token Exchange: Your app exchanges the
authorization_codefor anaccess_tokenby calling the SitePack Token endpoint. - Authorized Requests: Your app uses the access token in the
X-SitePack-Access-Tokenheader for all API requests.
2. Signed JWTs
Used for Native Apps or high-privilege system integrations. SitePack can issue signed JSON Web Tokens that allow your app to communicate with the API without a traditional OAuth exchange for every session.
The OAuth Flow in Detail
Step 1: Redirect to your app
When a merchant installs your app, SitePack redirects them to:
https://your-app.com/auth/callback?code={authorization_code}&shop={shop_domain}
Step 2: Exchange code for token
Your server must make a POST request to SitePack:
POST https://api.sitepack.eu/v2/oauth/token
Payload:
{
"client_id": "YOUR_APP_ID",
"client_secret": "YOUR_APP_SECRET",
"code": "{authorization_code}",
"grant_type": "authorization_code"
}
Step 3: Receive Access Token
SitePack responds with the tokens:
{
"access_token": "at_12345...",
"refresh_token": "rt_67890...",
"expires_in": 3600,
"scope": "content:read media:write"
}
Managing Tokens
- Access Tokens: These are short-lived. Use the
refresh_tokento obtain a new access token when it expires. - Security: Never store
client_secretorrefresh_tokenin client-side code (JS). Always handle these on your secure backend. - Revocation: Merchants can revoke your app's access at any time from their SitePack Admin. Your app should gracefully handle
401 Unauthorizederrors.
Using the Access Token
Include the token in all REST API requests using the custom X-SitePack-Access-Token header:
GET /v2/products
X-SitePack-Access-Token: YOUR_ACCESS_TOKEN
Always use the X-SitePack-Access-Token header. Standard Authorization: Bearer or Basic Auth headers are not supported for resource access in the SitePack API.
Next Steps
- Scopes & Permissions: Understand the permissions you are requesting during the OAuth flow.
- App Manifest (app.json): Configure your
redirect_uriand scopes. - Webhooks: Use your access token to fetch data from "Thin Payload" notifications.
- Editor Elements: Learn how the
SitePackAdminSDKhandles authentication in the editor. - Admin UI Integration: Verify session tokens for your iframed interfaces.