Authentication & Authorization
Setting up
The Authentication API uses OAuth credentials to authenticate requests. You can generate and maintain your OAuth credentials in the SCAYLE Panel by navigating to Shops ➜ Storefront ➜ API Keys.
Click + Generate OAuth Credentials, enter a Name, and click Create Token to obtain your client_id and client_secret.
Important: Make sure to store those credentials safely in your backend. This API MUST only be used by backend services.
Base URL
You can access the Authentication API by issuing http calls to:
https://{{tenant-space}}.auth.scayle.cloud/v1
If your Tenant is "acme" and the space is "live", the Authentication API URL is:
https://acme-live.auth.scayle.cloud/v1
All API requests must be made over HTTPS. Calls made over plain HTTP will fail.
API requests without authentication will also fail.
Basic Authentication
All API requests require Basic Authentication using the client_id and client_secret obtained from the SCAYLE Panel.
Include the following headers with every request:
| Header | Value |
|---|---|
Authorization | Basic {base64(client_id:client_secret)} |
Content-Type | application/json |
Authenticated Request
The following example demonstrates how to make an authenticated API request using cURL. Replace the placeholder values with your actual credentials and tenant-space URL.
Bearer Auth
Once a user is authenticated, the API returns a Bearer token that must be included in subsequent requests. A successful authentication response looks like this:
| Field | Description |
|---|---|
token_type | The type of token issued. Always Bearer. |
expires_in | Token lifetime in seconds. |
access_token | A JWT used to authorise subsequent API requests. |
refresh_token | A token used to obtain a new access token when the current one expires. |
If an API request is made without valid authentication, the API will return an error response. For a full list of error responses, please refer to the Errors page.
Limitations & Best Practices
In order to understand prerequisites, limitations, and best practices around access token and refresh token handling, please refer to the Authentication Guide.
