Warning
You are browsing the documentation for the new Sharetribe Web Template. If you are using FTW-daily, hourly or product, see the legacy documentation.

Last updated

Authentication API

Description of the Flex Authentication API and how the Marketplace API and Integration API applications use it

Table of Contents

Authentication API

Both the Marketplace API and the Integration API require valid access tokens to be passed in every API request. Applications obtain those access tokens from the Authentication API.

As a general rule, applications that access the Marketplace API do so by authenticating an end user of the marketplace (via the user' username and password), while Integration API applications authenticate using their own credentials.

In order to access Flex APIs, you need to create an Application in Flex Console. Each Application has a client ID. In addition, applications that access the Integration API also have a corresponding client secret.

The Authentication API is based on the OAuth 2.0 framework.

See also the Authentication API reference documentation

The Authentication API's main endpoint is for issuing tokens. Depending on whether your application is accessing the Marketplace API or the Integration API, that endpoint requires different set of parameters and issues different kinds of access tokens.

Applications request access tokens using several different grant types:

  • client_credentials grant type is used by both Marketplace API and Integration API applications with some important differences:
    • when used by Marketplace API applications, it only requires the client ID and grants anonymous access tokens which can be used with any of the Marketplace API endpoints that provide public data about the marketplace (such as the /listings/ endpoints).
    • when used by Integration API applications, it requires both the client ID and the client secret and it grants access tokens that provide full access to the Integration API. It also provides a refresh token that can be used to obtain fresh access tokens later
  • password grant type is used only by Marketplace API applications and allows to authenticate the marketplace's end users via their own username and password. It also provides Marketplace API applications with a refresh token that can be used to obtain fresh access tokens and can act as the end user's session secret.
  • token_exchange grant type is used by Marketplace API to create a trusted context for e.g. privileged transitions within transactions. It uses both client ID and client secret, as well as a valid user access token obtained with password grant type.
  • refresh_token grant type is used by both Marketplace API and Integration API applications and grants a fresh access token when given a client ID and a valid refresh token.

All access tokens that the Authentication API grants are short lived (valid for some number of minutes). Instead of always using the main grant type repeatedly (i.e. password or client_credentials), implementations are advised to use the refresh_token grant, as refresh tokens are typically valid for much longer period of time (days to months). This practice minimizes the risk of a long term secret to be accidentally exposed (e.g. user's password or Integration API application's client secret).