Authentication (Customer API)
Generate bearer tokens for usage with the Customer API
We strongly recommend you interact with the Customer API using Supertab JS when building integrations with Supertab.
Supertab JS deals with authentication, purchase confirmation and payments for you and ensures that customers have the correct user experience.
Supertab JS will be available in Q2 2025.
All requests to the Customer API require authentication with a bearer token unless stated otherwise.
Supertab uses OAuth2 to issue JWT tokens which allow you take actions such as purchasing on behalf of your customer from within the browser.
You should not implement OAuth2 yourself, instead use an existing library, or (recommended) make use of Supertab JS to authenticate users and obtain tokens.
To make authenticated calls to the Customer API, pass the token acquired in the Authorization header.
All calls to the Customer API must also include the x-supertab-client-id header with your client id. See Clients for more information.
Clients
Before making a request to the Customer API you must generate an OAuth client.
This is done for you automatically when you create a site. Each site will have an associated live and test client.
You must pass an x-supertab-client-id header with every request containing your client id.
The client id is used by the Customer API to determine which site the request is for, and whether the request is in test or live mode.
Make sure to use the client detail generated for your site when working with the Customer API.
The API Keys generated separately in the Business Portal are for use with the Merchant API.
API Settings
| Base URL | https://capi.supertab.co/ |
| Supported Grants | Authorization Code + PKCE, Refresh Token |
| Authentication URL | https://auth.supertab.co/oauth2/auth |
| Token URL | https://auth.supertab.co/oauth2/token |
| Token Type | bearer |
Redirect URIs
In order to successfully authenticate using oAuth2 you must pass a known redirect URI to the Authentication URL. You can configure your site’s redirect URI from the Business Portal - this is the Site URI that you provided when creating the site.
In order to support enhanced UX you may also authenticate your customer in a pop-up. To do so, open a popup to the authentication URL with your redirect uri set to
https://signon.supertab.co/oauth2/auth-proxy?origin={your-site-url} where {your-site-url} is the Site URI you set when creating the site.
You must open the popup from the same domain as your redirect URI.
We recommend you use Supertab JS to handle all authentication.
Scopes
The Customer API is scoped to allow issuing tokens with minimum permissions.
The api specification details the required scopes for each operation. You must request a token with the scopes you require when authenticating the customer.
Supertab JS handles acquiring tokens with the correct scopes for you.