Tokens and Scopes

Tokens and Scopes

Authentication and authorization of users is handled by tokens and associated scopes. The Emporix API uses the OAuth 2.0 token-based authentication and authorization approach. API keys are used to generate access tokens, which are then used to authorize HTTP methods.

API credentials

To be able to effectively use the Emporix API, you need the relevant API keys. The Emporix Developer Portal provides you with two types of credentials out-of-the-box:

• Emporix API — Credentials required to obtain a service access token, which is used to access Emporix resources through the Emporix API. The credentials grant access to all the resources without any restrictions.

• Storefront API — The Client_ID credential is required to obtain an anonymous token for a customer browsing the storefront. The anonymous token stores the information about the unauthenticated customer's session, such as browsing products or adding items to cart. When a customer decides to log in, the anonymous token is required to generate a customer token that already contains the session information. The Storefront API credentials are also required to set up SSO authentication with token exchange.

In addition, you can define custom API keys credentials that bear scopes to particular resources only. This allows you to restrict system permissions and safely use these credentials in a specific use case or in a dedicated integration. For example, you can create credentials with the scopes to manage prices externally for the products in your database and use them in your CRM system integration. Custom API credentials have a dedicated Client_ID and Secret, that you can use to obtain the service access token with the specified scopes.

Tokens

Emporix uses different types of tokens to authenticate and authorize different types of users. These tokens, associated with different scope levels, serve fundamentally different purposes. The Emporix system explicitly distinguishes between two types of users: employee users and customers.

System/integration tokens

To grant smooth access to Emporix resources through API, whether to enable backend operations in the storefront implementation or in an external system integration, you need the Service Access Token.

Service access token

The Service Access Token serves for backend operations and administrative tasks.

• Purpose: A service access token is required to manage core Emporix services, granting the ability to perform actions such as adding new products, modifying prices, or managing categories.

• Required credentials: Service access tokens are generated using relevant backend API credentials (such as a backend Client ID and Secret).

• Endpoint: POST /oauth/token Requesting a service access token

Employee users tokens

The employee access tokens are based on the user groups an employee user belongs to. Employees are organized into groups that share specific access controls and roles, and these access controls are applied to the APIs through token scopes. The relevant access is granted upon a user logging in to the Emporix backend applications.

SSO Authentication Tokens

When an employee logs into the Emporix applications using Single Sign-On (SSO), an external Identity Provider (IDP) verifies their credentials. The IDP then returns a token that grants the employee access to the internal Emporix systems.

End customers tokens

The following tokens are associated with end customers authentication and authorization on the storefront.

Anonymous token

The Anonymous Token is required on a storefront for guest customers browsing and public access.

• Purpose: The anonymous token contains the session_id which bears the information about an unauthenticated customer's session, including the viewed products or items placed to cart, so that when the customer chooses to log in or register, their recent operations are persisted.

• Required credentials: The Storefront API Client_ID credential is required in the request.

• Endpoint: GET /customerlogin/auth/anonymous/login Requesting an anonymous token.

Customer token

The Customer Token contains encrypted data associated with a specific, authenticated shopper on the storefront. It is generated when a guest shopper chooses to log in to the online store.

• Purpose: A customer token allows the user to perform personal storefront actions associated with their account, such as completing a checkout or viewing their own orders.

• Required credentials: Customer tokens are generated using storefront credentials. When a guest shopper logs in using their email/password credentials or using SSO authentication, the system also requires an existing anonymous token to generate the customer token, ensuring that the user's guest shopping session (like their cart and preferences) is preserved after they authenticate. The customer token is associated with the same session_id as anonymous token.

• Endpoint: POST /customer/{tenant}/login Requesting a customer token.

  The response includes:

  • accessToken - authenticates a specific customer

  • saasToken - required for completing checkout by a customer

  • refreshToken - required to extend the customer's session

Saas Token

The Saas Token is a token associated with an authenticated customer and is further required for triggering checkout operation. It is obtained together with the customer access token.

• Endpoint: POST /customer/{tenant}/login Requesting a customer token.

Refresh token

A Refresh Token is a specific type of access token in the Emporix API used to generate a new customer token without forcing the user to log in again.

• Purpose: A refresh token is used to maintain a seamless customer's session. Before the customer's session expires, requesting a refresh token can extend the session so that the customer remains authenticated. The refresh token is particularly useful in B2B environments as it can also update the customer's session with their legal entity selection during the session. See also B2B Token.

• Endpoint: GET /customer/{tenant}/refreshauthtoken Requesting a refresh token.

B2B token

In B2B scenarios, customers often represent multiple companies and can act on behalf of more than one legal entity (company). The B2B token handles this by embedding the customer's currently selected legal entity directly into their authorization token. The legal entity parameter recognizes a customer's role assigned within the selected legal entity and provides the relevant permissions. Then, the B2B token populates the legalEntityId in the subsequent API requests triggered by the customer.

This token-based approach guarantees a consistent user experience and centralized security enforcement while maintaining the required legal entity-based access control. Because the system updates the token securely in the background, the customer is not forced to log in again to access the relevant data and scopes for the new entity.

• Purpose: The B2B token ensures that a B2B customer's access to company-related resources is properly determined in accordance to the defined customer's roles and permissions. Once the customer access token has been issued, and the customer wants to make a purchase on behalf of a specific entity, the customer access token has to be refreshed with the legalEntityId provided as a parameter.

• Endpoint: GET https://api.emporix.io/customer/{tenant}/refreshauthtoken Refreshing a customer token.

The token-based approach to pass the legalEntityId parameter guarantees that the relevant services use that information to retrieve relevant data. The legalEntityId header is injected in the requests.

• Example use cases of B2B tokens:

  • Placing an order on behalf of a specific legal entity: A B2B customer wants to make a purchase on behalf of a specific company. The legal entity has to be attached to the order information.

  • Accessing company-shared orders: A B2B customer with a manager permissions needs to access not only his own orders, but also orders placed by other customers representing the same legal entity.

  • Resolving products availability: With customer segments enabled, products visibility can become segment-based. Therefore, the endpoint responsible for retrieving products on the storefront has to return only these products that the customer has access to with the selected legal entity.

• Process: The following process steps demonstrate handling multiple legal entities with B2B tokens.

For more information on accessing company-shared resources, refer to the Company Shared Orders and Customer Groups.

The diagram shows how the legal entity information is fetched and passed:

SSO generated tokens

When a customer logs into the storefront using Single Sign-On (SSO), an external Identity Provider (IDP) verifies their credentials. The IDP then returns a token that grants the customer access to the internal Emporix systems.

Scopes

In the Emporix API, scopes define which operations you are allowed to perform and which resources you can access. They are a foundational part of the token-based authorization system and help enforce security by ensuring users and applications only interact with the data they are permitted to see or modify.

Scopes follow a standardized naming convention structure: [service_name].[resource_name]_[action_name]. For actions that grant read-only access to a resource, the terms read and view are used interchangeably.

Scope assignment by token type

Different types of access tokens handle scopes differently based on their intended user:

• Storefront tokens: Anonymous, customer, and refresh tokens come with a pre-defined set of scopes tailored for standard storefront activities.

• Service tokens: When requesting a service access token for backend or administrative operations, you can specify exactly which scopes you need. If you choose not to specify, you can request a token with all available scopes.

  • Custom credentials: You can configure additional OAuth2 clients in Emporix with highly specific, limited scopes. This is particularly useful for granting controlled access to external integrations, third-party systems, or partners without exposing your entire backend.

Identity and Access Management (IAM)

For internal employees working within the Emporix Management Dashboard, scopes are used to enforce Identity and Access Management (IAM) controls. When employees are assigned to specific groups, their associated roles and access permissions are translated into scopes applied to the APIs, ensuring they only have access to authorized resources.