Skip to main content

Authentication and authorization overview

Multicart Solution Inc.AuthenticationApi usageaccess scopesauthenticationOAuthJWTsession access tokenAbout 2 min

Authentication and authorization overview

Multicart OAuth implementation support two way get access token:

  • Client based token for Client API
  • Service based token for Admin API

1. Client based authentication and authorization

Customer move to url

https://identity.multicartshop.com/?application=appId&return=https%3A%2F%2Fappdomain.com%2Flogin%3Fmulticart

1.1. URL pattern:

  • Endpoint: https://identity.multicartshop.com
  • Method: GET

Query params:

[application]: appId

[return]: encoded by encodeURIComponent returning url. Example: https://appdomain.com/login

[scope]: encoded by encodeURIComponent list of required permissions (space delimiter). Example: email profile openid roles offline_access multicart.api

[state]: any data encoded by encodeURIComponent. Returning by redirect as is

The user performs authorization or account creation in the Multicart Identity Service. Successful authorization causes a redirect to the return address passed in the return parameter.

  • Redirect example: https://appdomain.com?code=[auth code]&state=[state]

1.2. Get access token

To get the access token, you need to make a POST request to the Multicart Identity Service:

URL pattern:

  • Endpoint: https://identity.multicartshop.com/api/connect/token
  • Method: POST
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code&client_id=appId&code=[auth code]&redirect_uri=https%3A%2F%2Fappdomain.com%2Flogin
  • Response Type: json

Body params:

[grant_type]: authorization_code

[client_id]: appId

[code]: [auth code]

[redirect_uri]: encoded by encodeURIComponent redirect url

Responce

HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
{
"access_token": [string],
"token_type": "Bearer",
"expires_in": 86400, //token time to live in seconds
"scope": "multicart.api email profile openid roles offline_access",
"id_token": [string],
"refresh_token": [string]
}

Include the access token as a Authorization: Bearer [token] header on all API queries.

2. Service based authentication and authorization

The Client Credentials flow is a server to server flow. There is no user authentication involved in the process. In fact there is no user at all, the resulting access tokens will not contain a user, but will instead contain the Client ID as subject.

Since there is no user authorization, the flow only interacts with the Token endpoint.

2.1. URL pattern:

  • Endpoint: https://identity.multicartshop.com/api/connect/token
  • Method: POST
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials&client_id=appId&client_secret=[client_secret]&scope=[scopes]
  • Response Type: json

Body params:

[grant_type]: client_credentials

[client_id]: appId

[client_secret]: [client_secret]

[scope]: encoded by encodeURIComponent scopes. Examples: multicart.api email profile openid roles offline_access

Responce

HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
{
"access_token": [string],
"token_type": "Bearer",
"expires_in": 86400, //token time to live in seconds
"scope": "multicart.api email profile openid roles offline_access",
"id_token": [string],
"refresh_token": [string]
}

Include the access token as a Authorization: Bearer [token] header on all API queries.

3. Authentication client

Info

To simplify the authentication process, use one of the recommended Multicart client libraries.

All rights reserved © 2019-2023 Multicart Inc.
Copyright © 2025 Multicart Solution Inc.