Getting Connected

Authentication and OAuth

The Scalefast eCommerce API uses Oauth 2.0 as it’s authentication and authorization mechanism.

Requesting the properties of an object will result in getting public information about that object.  If you need private data, you will need to get the authorization of the owner of the data before getting access.  This is done by asking for anaccess token from the owner of the object.  You will then pass this token in every request to get the private data that is available at your level of authorization.

In addition, publishing the eCommerce graph will usually require an access token.

Example: Request a list of products available in a merchant’s catalog without providing any access token, but you will need the merchant’s authorization to get the list of it’s sales.

Authentication Mechanism

Three different steps are involved in Scalefast's authentication mechanism: user authentication, application authentication and application authorization:

  • User authentication ensures that the users are who they say they are.
  • Application authentication ensures that the users are giving their information to the right application.
  • Application authorization ensures that the users know exactly what data and access level they are giving to your application.

Once these steps completed, an access token is issued to your application. This token allows you to access the user's information and take actions on their behalf.

A user of the Scalefast Platform can be a merchant, a customer, a backend user, a reseller, an affiliate, etc. They use their email address and their password to authenticate themselves.

As a developer of an application, you get an application ID and secret to authenticate your application to the Scalefast Platform.

By default, your application can access available public information. If your application needs more than that, you must request specific permissions from a user (and the owner of the data). This is accomplished by adding a scope parameter to your request followed by comma separated list of the permissions you request.

An application is always linked to a Scalefast user account. When the application is designed to access the data of its own user account, the authentication API provides a method to programmatically authenticate both the user and the app in the same time. In this scheme, the application gets an access token with all the permissions but it can still limit the permissions by specifying a scope. Because this method does not require a user action (authentication & authorization), your application must keep both the app and the user credentials: therefore, it must be limited to server side scripts for secure trusted machine to machine communication.

Getting an Access Token

You need to follow this authentication flow when you are implementing a server side script that needs to manage your own data. For instance, if you are a merchant and you want to connect your platform to the Scalefast platform for synchronization (such as sales report, customer export, order notification, product management, affiliate management, etc.).

In this case, we provided you with a Scalefast user account as well as your application ID and secret. To perform actions on your account with the API, your application needs to request an access token for your own account. Because all actions will be done programmatically by your server-side scripts, we won’t be able to prompt you for user authentication and authorization, that’s why you need to pass both your user and application credentials to authenticate both in the same time. In this manner, we will know that your application knows your user account credentials and we will issue a valid access token for your own user account.

To get your access token for your own user, simply issue the following GET request: 

  • client_id is your application ID provided by Scalefast
  • client_secret is your application secret provided by Scalefast
  • grant_type must be set to password to let Scalefast know you are doing an automated user authentication: Scalefast then knows that it must check the user_credentials parameter
  • user_credentials is a hash value of your user account credentials: sha1(email.password)

You must specify the user credentials of your own Scalefast user account; this request will not work with the credentials of another account.

The authorization server will then return a valid access token that you can use in your API request:

This token can be found in the response_data parameter sent by the server. This token gives you an access to all your user data. It is like if you requested all the listed permissions and the user had authorized your app to get access to it.