Authentication

​

Clients

Before making a request to the Merchant API, you must generate your OAuth2 Client ID and Client Secret in the Business Portal.

1. Log in to the Business Portal.
2. Click on the API Keys tab in the left sidebar.
3. Click on the Create API Key button.
4. Enter a name for your API key and click Save.
5. Copy the Client Secret value from the Your Secret modal and store it securely. You will not be able to view this value again.
6. Copy the Client Secret value and store it securely. You will not be able to view this value again. Click to close the modal containing the secret.
7. Copy the Client ID value from the list of API Keys corresponding to the key you just created. You will need this value to authenticate your requests.

You must pass an x-supertab-client-id header containing your client id with every request.

​

Obtaining a Token

The Merchant API uses OAuth2 Client Credentials Grant to authenticate requests.

To obtain a token, you must send a POST request to the token URL with your client id and secret, using the client_secret_basic method.

CLIENT_ID="YOUR_CLIENT_ID"
CLIENT_SECRET="YOUR_CLIENT_SECRET"
AUTH_URL="https://auth.supertab.co/oauth2/token"

# Encode the credentials in base64
BASIC_AUTH=$(echo -n "$CLIENT_ID:$CLIENT_SECRET" | base64)

curl -X POST "$AUTH_URL" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -H "Authorization: Basic $BASIC_AUTH" \
  -d "grant_type=client_credentials" \
  -d "scope=mapi:read mapi:write"

These tokens expire, so you should be prepared to handle token expiration and refresh when necessary.

​

API Settings

​

Scopes

The Merchant API is scoped to allow issuing tokens with minimum permissions.

The api specification details the required scopes for each operation. You must request a token with the scopes you require when authenticating the customer.

The following scopes are available:

• mapi:write: Create onetime offerings
• mapi:read: Check the status of purchases