Introduction

This is the specification of the Authentication API.
Authentication Guide
The Authentication API enables seamless Identity Management with SCAYLE. It provides endpoints for user authentication (OAuth Client), token management (Bearer Auth), and integration with external identity providers such as Auth0, Salesforce, Google, or Apple SSO.
Please refer to SCAYLEs Authentication Guide to receive more information on
- Authentication flow
- Token handling
- Token lifetime
- Token revoke logic
- Available Identiy Provider
Authentication Methods
SCAYLE offers two options for user authentication:
Method | Description |
---|---|
Authenticate via OAuth APIs | The OAuth Client API provides the user-facing endpoints, enabling e.g. user creation or login, handling password reset emails, and allowing users to update their passwords within a to be build form. |
Authenticate via Single Sign-On | The API Endpoints for Single Sign-On can be used to handle Identity Provider redirects or callbacks. |
For advanced token management, SCAYLE provides the Bearer Auth APIs.
Method | Description |
---|---|
Token Management via Bearer Auth | The Bearer Auth API is designed for overall token management, allowing validation, refreshing, revocation, or deletion of tokens. The Shop can also retrieve a list of active tokens, either individually or collectively. |
Getting Started
This API MUST only be used by backend services.
Base URL
The Authentication API is served over HTTPS. All URLs referenced in the documentation have the following base:
https://{{tenant-space}}.auth.scayle.cloud/v1
Header
- Authorization Bearer Token
- Content-Type application/json
To create a token:\
- Navigate to Shops ➜ Storefront ➜ API Keys.
- Click + Generate OAuth Credentials.
- Enter a Name and click Create Token.
Make sure to store those credentials safely in your backend.
API Client
Before you can interact with the Authentication API, you have to create an API client in the SCAYLE Panel to obtain your client_id
and client_secret
.
Authorize
Basic Authentication
All API requests must be made over HTTPS. Calls made over plain HTTP will fail.
API requests without authentication will also fail.
Username and password are required for each API request.
- Password: A dedicated secret key unique to each subaccount.
Example bad response
Bearer Auth
Auth response
Example bad response
Understand Authentication APIs
Limitations
In order to understand Prerequisites and Limitations, please refer to the Authentication Guide.
Best Practises
Detailed information on the usage of access token
and refresh token
as well as overall token handling can be found within the Authentication Guide.
Download Full Reference
Using Postman or similar tools? You can download this reference as a JSON file and import it to start sending requests directly.