The api will run an authorization module when requests hit it. It will decide the level of access, and pass this to the controller init scripts to determine if the controller given is accessible.
- access only to retrieving basic data, such as product lists etc.
This method requires an api key, which maps to a domain. The domain is checked with the http referrer but the main purpose of these is for tracking usage and rate limiting.
Full method / HTTP Basic access authentication (for more complex server apps)
- access to everything given by our access scopes system
- SSL Required
This method requires a username and password (api key not needed). It will return 401 Unauthorized if incorrect or no authentication details are given. Once the username and password are authenticated the api then checks what access scopes they have, and if the requested controller needs any other scopes. If an account tries to make a request to an api resource without the needed scope then the api will also return 403 Forbidden, as the authentication is correct but the account does not have access.
Access Scopes (Permission groups, similar to oauth2)
Certain API requests require the site admin's authentication, such as adding or deleting content on the sites, or processing confidential data. Permission to make requests like this are grouped for simplicity, so to create a product, you need the store_content permission. This same permission also applies to categories and other store content.
Currently available scopes:
- store_content (Manages the products, categories, etc.)
- content (Manages the downloads, blog_items, pages, etc.)
- users (Manages the users, user groups, etc.)
- orders (Manages the orders, payment methods, delivery, etc.)