We strongly recommend you interact with the Customer API using Supertab.js when building integrations with Supertab.Supertab.js deals with authentication, purchase confirmation, and payments for you and ensures that customers have the correct user experience.
All requests to the Customer API require authentication with a bearer token passed in the Authorization header unless stated otherwise. Additionally, all calls to the Customer API must also include the x-supertab-client-id header with your client id (see Clients for more information), and a version header. Supertab uses OAuth2 to issue JWT tokens. After your customer authenticates you will be able to take actions, such as purchasing, on their behalf. Instead of implementing OAuth2 yourself, you should consider using an existing library, or (recommended) make use of Supertab.js to authenticate users and obtain tokens. Example authenticated request to the Customer API: 
curl --location 'https://tapi.supertab.co/capi/customers/me' \
--header 'Authorization: Bearer ••••••' \
--header 'x-supertab-client-id: ••••••' \
--header 'x-api-version: 2025-04-01'

Clients

Before making a request to the Customer API you must generate an OAuth client. This is done for you automatically when you create a site. Each site will have an associated live and test client. You must pass an x-supertab-client-id header with every request containing your client id. The client id is used by the Customer API to determine which site the request is for, and whether the request is in test or live mode.
Make sure to use the client detail generated for your site when working with the Customer API.The API Keys generated separately in the API Keys section of the Business Portal are for use with the Merchant API.

API Settings

Base URLhttps://tapi.supertab.co/capi/
Supported GrantsAuthorization Code + PKCE, Refresh Token
Authentication URLhttps://auth.supertab.co/oauth2/auth
Token URLhttps://auth.supertab.co/oauth2/token
Token Typebearer

Redirect URIs

In order to successfully authenticate using oAuth2 you must pass a known redirect URI to the Authentication URL. You can configure your site’s redirect URI from the Business Portal - this is the Site URI that you provided when creating the site. We recommend you use Supertab.js to handle all authentication.

Scopes

The Customer API is scoped to allow issuing tokens with minimum permissions. The api specification details the required scopes for each operation. You must request a token with the scopes you require when authenticating the customer. The current available scopes are for the Customer API are:
  • capi:read: Make purchases and take other actions that modify a customer account.
  • capi:write: Check for entitlements and take other actions the retrieve a customer’s details.
Supertab.js handles acquiring tokens with the correct scopes for you.