Authentication

data-variant=info

data-slots=text

All API requests must be authenticated using HTTP Basic Authentication.

The Marketplace EQP API uses a two-step process to authenticate a client application and authorize access to resources:

Using your API access key, obtain a session token.
Provide the session token as an HTTP Authorization Bearer header to access a resource.

Base URLs

In code examples in this documentation, we use the Base URL of the sandbox.

Once you are confident your sandbox API calls are correct, and you wish to submit a package for full manual review on the production environment, do the following:

Use the production Base URL instead of the sandbox one
Use your production API access key: application ID and application secret

Environment

Base Url

sandbox

https://commercedeveloper-sandbox-api.adobe.com

production

https://commercedeveloper-api.adobe.com

Authentication and authorization flow

You must use your API access key -- which is an application ID and secret -- to obtain your session token. The following is an example:

application ID — AQ17NZ49WC
application secret — 8820c99614d65f923df7660276f20e029d73e2ca

How to obtain a session token {#session-token}

The following endpoint grants a session token:

POST /rest/v1/app/session/token

Parameters:

You must specify the grant type in the request body:

{
   "grant_type": "session",
   "expires_in": 7200
}

Field details:

Field

Type

Required

Description

grant_type

string

yes

The API only supports the session grant type; other values will give an error.

expires_in

int

Specifies the number of seconds that the session token will be valid. If the requested time exceeds the system's maximum allowed, the system's maximum limit will be used instead.

The following example shows a request to the sandbox, using the application ID and secret from above. A successful HTTP 200 OK response will be sent for a valid application ID and secret.

              data-slots=heading, code

              data-repeat=2

              data-languages=CURL, JSON

              Request
            
              curl -X POST \
     -u 'AQ17NZ49WC:8820c99614d65f923df7660276f20e029d73e2ca' \
     -H 'Content-Type: application/json' \
     -d '{ "grant_type" : "session" }' \
     https://commercedeveloper-sandbox-api.adobe.com/rest/v1/app/session/token

              Response
            
              {
 "mage_id": "MAG123456789",
 "ust": "baGXoStRuR9VCDFQGZNzgNqbqu5WUwlr.cAxZJ9m22Le7",
 "expires_in": 7200
}

Field details:

Field

Type

Description

mage_id

string

Your user account. This is your "Magento ID."

ust

string

User Session Token. It will be used in the Authorization: Bearer header for all subsequent API calls.

expires_in

int

Number of seconds the session token will be valid. Example: 7200 seconds is 2 hours.

The session token has a relatively short duration.
You can get as many session tokens as you need. You do not need to wait for a session token to expire before requesting another one. Multiple session tokens can be active at the same time, so you can run multiple scripts at the same time.
Once the session token expires, a new token must be obtained as described above.
Session tokens are specific to each environment. Session tokens generated for the sandbox cannot be used for production, and vice-versa.

How to use a session token

After obtaining a valid session token, you must use it as an authorization bearer token in all subsequent API calls. Using the example values from above, run the following command to access your user profile with a session token:

curl -X GET \
     -H 'Authorization: Bearer baGXoStRuR9VCDFQGZNzgNqbqu5WUwlr.cAxZJ9m22Le7' \
     https://commercedeveloper-sandbox-api.adobe.com/rest/v1/users/MAG123456789