OAuth 2.0 APIs

Digital River uses OAuth 2.0 APIs for authentication and authorization of protected resources for the Shopper APIs. The Digital River OAuth 2.0 APIs allow third-party applications to authenticate and perform actions on behalf of a shopper without acquiring the shopper's password. Public resources do not require an access token; however, access requires an API key configured as a public key. For more details, see Valid Token Types.

The OAuth 2.0 APIs support several workflows. The workflow that an application should implement depends on the type of application using the APIs as well as the use cases the application plans to support. For example, applications that support anonymous shopping and use the shoppers/me API should leverage the ROPC (Resource Owner Password Credentials) OAuth workflow. A user-agent-based application should use the Implicit OAuth workflow.

There are various OAuth APIs and sequences of API calls that you can invoke to implement the various OAuth workflows.

The OAuth 2.0 APIs workflows can be implemented using the following resources:

Use the /oauth20/token API to establish a limited access token. You can use the limited access token to access resources prior to the shopper being authenticated. When you request an access token from the oauth20/token endpoint you must provide your API key as a query parameter.

The Limited Access token is an authenticated token, but not an authorized token.  You can use the /oauth20/authorize API to authenticate a shopper and establish a Full Access token. A Full Access token enables an application to use all of the shoppers/me APIs. You must send a request to the oauth20/authorize endpoint that includes:

  • Your API key or access token as a query parameter.
  • The redirect URI. A URI that redirects the shopper to the correct page after the shopper successfully signs in.

This request redirects the shopper to the Global Commerce platform for authentication. After the shopper has successfully logged in, the shopper is redirected to the specified URI, adding the new token as a parameter.

In this instance, the full access token replaces the authenticated limited access token and will be used for future requests.

The default supported format for the Authorization API is application/json.