Checkout Authentication
General
The Checkout Authentication API, also known as the Auth API, serves the purpose of registering and logging in customers, including guest customers without passwords, as well as resetting a customer's password. This API enables you to:
- Acquire an access token, which grants you the ability to both retrieve and modify customer data via the Customer Account API
- Initiate the checkout process with the web component
- View all active sessions for a given customer and invalidate specific tokens or sessions.
To implement custom login and registration forms, as well as the password reset flow on your storefront, you'll need to make calls from your frontend to your backend. Subsequently, your backend will communicate with the Auth API.
Auth API is designed exclusively for backend-to-backend interactions. Making direct calls from the frontend to the Auth API is not supported
This guide provides you with the necessary information to seamlessly integrate with the Auth API, elucidating key concepts and relevant endpoints. For specific endpoint details, refer to the Auth API specification.
Auth API
Create an API Client in the SCAYLE Panel
Before you can interact with the Auth API, you have to create an API client in the SCAYLE Panel to obtain your client_id and client_secret.
To create a token:
- Navigate to
Shops > Storefront > API keys. - Click + Generate OAuth Credentials.
- Enter a Name and click Create Token.
The ID and token are then displayed only once!
SCAYLE Panel: Generate Authentication API token
Make sure to store those credentials safely in your backend. All the endpoints explained in the following chapters require you to provide the client_id and client_secret as a Basic Auth header on the request.
Example
Authorization: Basic {base64Encode({client_id}:{client_secret})}
Authenticate using the AuthApi
The Auth API offers various endpoints, each requiring different authentication methods based on the use case:
- Basic Auth: Utilize OAuth Client credentials for secure access.
- Bearer Auth: Employ Access Tokens for authenticated requests.
- No Auth: Some endpoints are publicly accessible without authentication.
Consult the Api Specification for detailed authentication requirements for each endpoint.
For endpoint access, use the following host: https://{{tenant-space}}.auth.scayle.cloud
Responses
AuthApi HTTP Status Codes and Error Handling
The AuthApi uses HTTP status codes to signify the outcome of API requests:
- 2xx: Successful operations.
- 4xx: Failures due to incorrect or insufficient information provided by the user.
- 5xx: Errors originating from AuthApi's servers.
In the event of an error, AuthApi issues an error response with error details. Typically, this includes a single error, but some endpoints may return multiple errors.
For a comprehensive understanding, refer to the following tables detailing status codes, error responses, and error entities.
HTTP status codes
| HTTP Status Code | Description |
|---|---|
| 200 - OK | Request successfully fulfilled. |
| 201 - Created | New resource successfully created. |
| 204 - No Content | Request fulfilled with no content to send in the response. |
| 206 - Partial Content | Partial content of the requested resource successfully delivered.. |
| 400 - Bad Request | Request contains invalid parameters or is malformed. |
| 401 - Unauthorized | Authentication failed or missing, see access. |
| 404 - Not Found | Specified resource does not exist. |
| 408 - Request Timeout | Request timed out on the server. |
| 409 - Conflict | Conflict with the current state of the resource. |
| 412 - Precondition Failed | Failure in a requested dependency. |
| 413 - Payload Too Large | Request entity exceeds the server's size limits. |
| 424 - Failed Dependency | Request failed due to failure of dependency. |
| 500 - Internal Server Error | An unexpected error on the AuthApi server. |
| 503 - Service Unavailable | AuthApi is temporarily unavailable. |
